Storage administrators have a number of possible options when looking to secure NAS and iSCSI IP-enabled storage devices, and deployment scenarios are a key factor in choosing the appropriate methods.
Methods of iSCSI security range from physically or virtually separating storage traffic from the LAN (Layer 1 to 3 approaches) to the application of high-level encryption methods to TCP/IP packets (Layer 4 to 6). What you will opt for will depend on cost and practicality as well as whether your IP storage traffic will traverse public networks.
Network Layer 1 to 3 approaches
In a private network, iSCSI security best practices call for physically isolating storage IP traffic from general network traffic.
In a physically separate Ethernet storage network environment, there is no contention with general network traffic. This facilitates an optimum flow of storage IP traffic between clients and host storage. And the fact that the environment is physically closed means that the hardware can be secured and IP storage traffic protected against the danger of interception. In this deployment scenario, further layers of network security might not be necessary, especially as further iSCSI security measures impose a load that can affect performance.
Where physically separate network implementations are not feasible and IP storage traffic has to use the same hardware as general network traffic, the next best iSCSI security option is to implement a specific virtual LAN (VLAN) dedicated to IP storage traffic.
Resources from the main network can be assigned to achieve a guaranteed performance level and IP storage packets tagged as part of a network quality of service (QoS) policy.
Some vendors’ switches feature built-in encryption, and these can also be activated to keep the encryption and decryption load away from clients and hosts.
Where storage traffic passes across public networks such as the Internet and could be subject to capture and analysis, these lower network layer-based approaches are obviously ineffective, and higher level solutions are needed to ensure IP storage traffic security.
Network Layer 4 to 6 approaches
As iSCSI relies on TCP/IP communication, the IP Security (IPsec) framework can be used to achieve increased iSCSI security for IP-based storage traffic. IPsec, operating in two modes, authenticates and encrypts each packet in an IP data stream. In transport mode, only the payload in each IP packet is encrypted. The IP header is left unencrypted, so packet routing functions normally. In tunnel mode, on the other hand, the entire IP packet – including the IP header -- is encrypted. This means the whole encrypted packet must be encapsulated in a new unencrypted IP packet so that routing can function properly and the packet can reach its correct network destination.
The main examples of IPsec-based approaches to iSCSI and file-based services IP storage traffic are as follows:
- Challenge Handshake Authentication Protocol (CHAP). This protocol is the most commonly used authentication method for IP-based storage and is included on most iSCSI-based storage devices. This method provides authentication and a shared encryption key so iSCSI traffic can safely traverse unsecured networks.
CHAP uses a one-way, three-phase process that authenticates initiators against target devices; once the connection has been established, authorisation rules define a set of allowed actions from the source. Traffic can also then be classified by a number of subcriteria, such as source IP address, VLAN ID or iSCSI Qualified Name (IQN), allowing layers of security and more complex security management rules to be implemented if required.
- RADIUS. Another, less commonly used authentication method for IP-based storage is Remote Authentication Dial-In User Service (RADIUS), which provides a centralised authentication service against server-stored credentials. RADIUS is now no longer considered secure in public network environments as the encryption protocol for the authenticator has been declared broken.
However, in combination with a remote access method such as a VPN (virtual private network), where a secure encrypted tunnel mode connection exists between private networks and a RADIUS request is passed across it, it is still a commonly used access method in scenarios including IP storage.
In addition, all the following encryption/authentication methods can also be used to secure iSCSI packets.
- Kerberos V5 (KRB5). Kerberos performs authentication as a trusted third-party service by using conventional cryptography in the form of a shared secret key. It will be most familiar to Windows systems administrators due to its use in the Windows logon process.
- Simple Public-Key Generic Security Services Application Programming Interface (GSSAPI) Mechanism 1/2 (SPKM1/2). This IPsec mechanism provides authentication, encryption key establishment, data integrity checking and data encryption in an online distributed application environment using public key infrastructure (PKI) encryption.
- Secure Remote Password (SRP). This IPsec method is suitable for negotiating secure connections via user-supplied passwords, whilst also performing a secure encryption key exchange during the process of password authentication.
IP-capable NAS and SAN storage from all the well-known names in the storage market feature IP security as standard. The general adoption of CHAP as the default security method of choice is common across most manufacturers of iSCSI- and file-based IP storage devices.
NetApp filers with iSCSI connectivity all feature support for CHAP authentication and IPsec.
Dell EqualLogic PS Series IP storage arrays have native support for CHAP and RADIUS.
EMC follows a similar path with CHAP and the full range of methods mentioned above to secure iSCSI traffic on its VNX and Celerra ranges.
Martin Taylor is converged network manager at the Royal Horticultural Society.
This was first published in June 2012