Problem solve Get help with specific problems with your technologies, process and projects.

Securing SAN's with iSCSI

Bits & Bytes: According to Peter Hayden, correctly configured, iSCSI-based arrays offer the highest level of security available in SAN technologies. Read why here.

Built on the foundation of IP technology, iSCSI brings a wealth of standardized security features to storage area networks (SANs). iSCSI security offers a critical level of interoperability with existing authentication management systems along with proven IP security protocols. By leveraging existing IP networking expertise, businesses today can create affordable, secure IP-SANs that are easy to build and manage.

Some people hear IP-SAN, and think every hacker on the internet will have free access to their storage networks. Nothing could be further from the truth. Correctly configured, iSCSI-based arrays offer the highest level of security available in SAN technologies.

ISCSI networks provide a number of integrated security features. Passwords are required for array management and group membership protocols between arrays are always authenticated. Most importantly from the point of view of securing the data, access controls are provided for each volume. Per volume access controls can be a combination of initiator name, initiator IP address, and strong CHAP authentication. Secure authentication of any kind is a security feature not available with Fibre Channel technology.

Since gigabit ethernet is a switched fabric with point-to-point connectivity, it is nearly impossible to snoop packet traffic without physical access to the network and an analyzer on hand. Within the physical storage site, walking off with a backup tape or a hot swap disk drive is far simpler than connecting up a real-time analyzer.

The storage network itself can be easily partitioned from the rest of the LAN. By blocking the iSCSI TCP/IP port 3260, a feature available in every off-the-shelf router and firewall on the market, the administrator can quickly secure the SAN while optionally allowing management ports access to the system.

Multiple storage sites and volume replication

The security features described thus far are more than suitable for securing a single storage site. However, for linking up multiple storage sites over larger networks, more precautions must be taken.

Replicating volumes for disaster tolerance across large corporate local area networks, metropolitan area networks or even wide area networks require stronger security measures. IP offers a built in solution: IPSec. Virtual Private Networks (VPNs), using IPSec, provide well-established solutions for creating secure, virtual point-to-point IP bridges across un-trusted mediums such as the Internet. Numerous vendors provide a plethora of VPN gateway appliances servicing a wide market from home IPSec VPN routers to Enterprise VPN Gateway Switches.

By securing multiple storage sites with IPSec VPN gateways, business can simply setup and manage secure site replication.

About the author

Peter Hayden is CEO at Nashua, N.H.-based EqualLogic.

For more information on IP security:

Audit your SAN's security risks

SAN/NAS encryption complexity

Do you want to see more articles or insights from noted industry observers? Visit the complete Bits & Bytes column library.

Dig Deeper on SAN technology and arrays

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.