• Security for iSCSI
  • Deploying iscsi storage Solutions on Microsoft Windows Server Platform

    Download 223.98 Kb.
    Hajmi223.98 Kb.
    1   ...   26   27   28   29   30   31   32   33   ...   77

    Persistent Targets Tab

    Targets can be configured to be persistent, which means that the connection to the target is automatically restored when the system reboots. If the targets are configured to be persistent, they appear in this dialog box.

    Bound Volumes Tab

    If a host service or application depends on the availability of an iSCSI volume, it should be “bound” so that the iSCSI service includes each “bound” volume as part of its initialization.

    Security for iSCSI

    Security for iSCSI includes some security features in the iSCSI layer itself, separate from any security layers that may be present in the lower TCP, IP, and Ethernet layers. The iSCSI security features can be enabled or disabled, as desired.

    Each environment will need to address the issue of running storage traffic over the same network as the “public” LAN. Many will address this by running iSCSI storage traffic over a separate network or VLAN, which is the recommended best practice from Microsoft for applications using iSCSI storage. The items listed below are features of iSCSI which can provide increased security even if the iSCSI traffic is on a separate network.

    The Microsoft iSCSI initiator uses Challenge Handshake Authentication Protocol (CHAP) to verify the identity of iSCSI host systems that are attempting to access storage targets. Using CHAP, the iSCSI initiator and iSCSI target share a predefined secret. The initiator combines the secret with other information into a value and calculates a one-way hash using MD5. The hash value is transmitted to the target. The target computes a one-way hash of its shared secret and other information. If the hash values match, the initiator is authenticated. The other information includes an ID value that is increased with each CHAP dialog to protect against replay attacks. Mutual CHAP is supported.

    CHAP is generally regarded as more secure than PAP. More information is available on CHAP and PAP in RFC1334.

    IPSec is also available for iSCSI. If IPSec is enabled, all IP packets sent during data transfers are encrypted and authenticated. A common key is set on all IP portals, allowing all peers to authenticate each other and negotiate packet encryption.

    The Microsoft iSCSI initiator can be configured with the CHAP secret by clicking the “Secret” button from the “General” tab of the iSCSI initiator.

    Download 223.98 Kb.
    1   ...   26   27   28   29   30   31   32   33   ...   77

    Download 223.98 Kb.

    Bosh sahifa

        Bosh sahifa

    Deploying iscsi storage Solutions on Microsoft Windows Server Platform

    Download 223.98 Kb.