Securing iSCSI for Data Backup and Disaster Recovery

1
Securing iSCSI for Data Backup and Disaster
Recovery

• JAMES HUGHES

CS526 5/03/05 James W. Hughes 1
2
Overview

• Introduction / Motivation
• Brief Overview of iSCSI
• Strategies for Securing iSCSI
• Conclusion
• References

CS526 5/03/05 James W. Hughes 2
3
Introduction / Motivation
Learn About A New Technologies Attempt To Pass
It On Brief Backup and Disaster Recovery Scenario

CS526 5/03/05 James W. Hughes 3
4
Brief Overview of iSCSI

• iSCSI Protocol
• Protocol Data Units
• Encapsulation of iSCSI PDU

CS526 5/03/05 James W. Hughes 4
5
Strategies for Securing iSCSI

• Access Control Lists (ACLs)
• Strong Authentication Schemes
• Secure Management Interfaces
• Encrypt Exposed Network Traffic
• Encrypt Data at Rest

CS526 5/03/05 James W. Hughes 8
6
Conclusion

• iSCSI is an Alternative to Fiber Channel
• Overview of iSCSI Protocol
• Strategies to Securing iSCSI

CS526 5/03/05 James W. Hughes 14
7
Questions
CS526 5/03/05 James W. Hughes 15
8
References

• Hewlet Packard, (2005). iSCSI Overview.
• Power Point Presentation
• Foskett, S., (07 Apr 2005), Five ways to secure
  iSCSI, http//searchstorage.techtarget.com/tip/1,2
  89483,sid5_gci1076436,00.html
• Harwood, M., (27 Jan 2004), Storage Basics
  Securing iSCSI using IPSec, http//www.enterprises
  torageforum.com/ipstorage/features/article.php/115
  67_3304621_1
• Network Sorcery, (n.d.), CHAP, Challenge
  Handshake Authentication Protocol,
  http//www.networksorcery.com/enp/protocol/CHAP.ht
  m

CS526 5/03/05 James W. Hughes 16
9
Access Control Lists (ACLs)

• Implementations
• IP Address
• Initiator Name
• MAC Address
• Provides of a means of dividing storage resources
  among clients.
• Not a strong security method.

CS526 5/03/05 James W. Hughes 9
Back to Strategies for Securing iSCSI
10
Strong Authentication Schemes

• Challenge Handshake Authentication Protocol
  (CHAP)
• Two way Authentication
• Protects against Playback Attacks
• Remote Authentication Dial-In User Service
  (RADIUS)
• Drawback Passwords must be stored on both sides
• RADIUS service can be
  difficult to configure

CS526 5/03/05 James W. Hughes 10
Back to Strategies for Securing iSCSI
11
Secure Management Interfaces

• Lesson Learned From Fiber Channel
• Limit Usage
• Enforce Strong Passwords
• Verify Vendor Accounts Removed or Disabled

CS526 5/03/05 James W. Hughes 11
Back to Strategies for Securing iSCSI
12
Encrypt Exposed Network Traffic

• IP security (IPsec)
• Authentication Headers (AH)
• Authentication Kerberos v5, Public Key
  Certificates (PKIs), and Preshared keys
• Integrity Message Digest 5 (MD5) and Secure Hash
  Algorithm 1 (SHA1)
• Encapsulating Security Payloads (ESP)
• Data Encryption Standard (40-bit)
• Data Encryption Standard (56-bit)
• Triple DES (3DES) (168-bit)

CS526 5/03/05 James W. Hughes 12
Back to Strategies for Securing iSCSI
13
Encrypt Data at Rest

• Full Disk Encryption
• Security Appliances
• Backup Tape Encryption

CS526 5/03/05 James W. Hughes 13
Back to Strategies for Securing iSCSI
14
iSCSI Protocol

• A transport protocol for SCSI that operates over
  TCP/IP

host SCSI command set
CS526 5/03/05 James W. Hughes 5
Back to iSCSI Overview
15
Protocol Data Units

• Consist of SCSI commands, data, and responses for
  TCP handling

Protocol Data Unit (PDU)
iSCSI Data
iSCSI Header
CS526 5/03/05 James W. Hughes 6
Back to iSCSI Overview
16
Encapsulation of iSCSI PDU
destMAC
srcMAC
Ethertype
data
FCS(CRC)
IP
TCP
iSCSI PDU
6 bytes
6 bytes
2 bytes
4 bytes
46 to 1500 bytes
CS526 5/03/05 James W. Hughes 7
Back to iSCSI Overview
17
Scenario
CS526 5/03/05 James W. Hughes 17
Back to iSCSI Overview