iSCSI Security in VMware

Fibre channel seems to be losing its popularity and more people are turning to iSCSI as the block storage protocol of choice. If you don’t already have an FC fabric then why introduce that into your design now. So when choosing to use iSCSI for storage connectivity or any other storage protocol then you’ll have to take security into consideration when performing an implementation.
Security is a pillar of infrastructure design qualities in which every system should be properly designed from its inception. Depending on the data or system you’re trying to protect then the protection mechanism should be proportion to the criticality or importance to the organization. To secure your SAN you should:

  • Assess configurations
  • Test secure mechanism effectiveness
  • Identify holes
  • Quantify risks
  • Implement practical security solutions for high risk exposures

The EMC article titled “Building Secure SANs” has a nice table illustrating the different security categories and the mechanism to protect it. I’ll just should the IP SAN section:

Security Category IP SAN Mechanisms VMware Supported
Availability QoS Yes, also SIOC and NIOC
Authentication CHAP

KBR

RADIUS

TACACS+

Kerberos

SRP

Yes

No

No

No

No

No

Authorization iSCN

LUN Masking

VLAN Tagging

Port controls

No

Yes

Yes

Yes

Auditing ACL

SSH

SSL

Yes
Encryption IPSec

In-transit Algorithms

At-rest Algorithms

No
Integrity IPSec (AH)

MD5 hash

SHA-1 hash

No

Security should be used in a multi prong approach with protection at multiple levels. By enforcing good security standards and principles you can have a network that can help in mitigating your risks to vulnerabilities in your iSCSI storage.

References:

Tagged: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: