Tag Archives: network design

iSCSI Security in VMware

Fibre channel seems to be losing its popularity and more people are turning to iSCSI as the block storage protocol of choice. If you don’t already have an FC fabric then why introduce that into your design now. So when choosing to use iSCSI for storage connectivity or any other storage protocol then you’ll have to take security into consideration when performing an implementation.
Security is a pillar of infrastructure design qualities in which every system should be properly designed from its inception. Depending on the data or system you’re trying to protect then the protection mechanism should be proportion to the criticality or importance to the organization. To secure your SAN you should:

  • Assess configurations
  • Test secure mechanism effectiveness
  • Identify holes
  • Quantify risks
  • Implement practical security solutions for high risk exposures

The EMC article titled “Building Secure SANs” has a nice table illustrating the different security categories and the mechanism to protect it. I’ll just should the IP SAN section:

Security Category IP SAN Mechanisms VMware Supported
Availability QoS Yes, also SIOC and NIOC
Authentication CHAP

KBR

RADIUS

TACACS+

Kerberos

SRP

Yes

No

No

No

No

No

Authorization iSCN

LUN Masking

VLAN Tagging

Port controls

No

Yes

Yes

Yes

Auditing ACL

SSH

SSL

Yes
Encryption IPSec

In-transit Algorithms

At-rest Algorithms

No
Integrity IPSec (AH)

MD5 hash

SHA-1 hash

No

Security should be used in a multi prong approach with protection at multiple levels. By enforcing good security standards and principles you can have a network that can help in mitigating your risks to vulnerabilities in your iSCSI storage.

References:

CCDA Study: What is PPDIOO?

Studying for CCDA: What is PPDIOO?

I’ve been studying for the Cisco Certified Design Associate (CCDA) to give me a better insight and view of the Cisco design methodology. I’m trying to be well rounded overall and this is one of weaker areas. It’s been interesting and I’m learning a lot in the way of how Cisco sees the building blocks for a network design.

I came across the acronym PPDIOO which stands for Prepare, Plan, Design, Implement, Operate, and Optimize.

This is the network lifecyle. Each phase builds up to the next phase and provides a roadmap of how a network should be implemented, designed and upgraded.

PPDIOO Phase Description
Prepare Establishes organizational and business requirements, develops a network strategy, and proposes a high-level architecture
Plan Identifies the network requirements by characterizing and assessing the network, performing a gap analysis
Design Provides high availability, reliability, security, scalability, and performance
Implement Installation and configuration of new equipment
Operate Day-to-day network operations
Optimize Proactive network management; modifications to the design

These different phases sound very familiar and match up to other design frameworks, ontologies or methodologies. But they all have a central focus on logically breaking down each step to provide a repeatable process in which all points are thought out.