Start of change

Security for iSCSI attached systems

iSCSI technology leverages the low cost and familiarity of Ethernet and IP networking. The flexibility of Ethernet and IP networking allows iSCSI attached systems to share hardware, extend the range, and increase bandwidth by adding hardware. However, this familiarity and flexibility leads to a requirement for appropriate network security.

Each of the different types of networks used by iSCSI attached systems has its own security considerations.

Service processor connection security
Service processor security can involve one or more of the following mechanisms.

iSCSI network security
There are two types of iSCSI network traffic to consider.

Service processor password
This password is managed by i5/OS and is used when your iSeries™ server starts a conversation with the hosted system's service processor. The service processor checks the password to ensure that the i5/OS configuration is authentic. New service processors have a default name and password. i5/OS provides a way to change the password.

Service processor Secure Sockets Layer (SSL)
You can enable this type of SSL only if you have the appropriate type of service processor hardware. If enabled, SSL encrypts traffic on the service processor connection and ensures that the service processor is authentic. Authentication is based on a digital certificate from the service processor that is installed in i5/OS either manually or automatically. This certificate is distinct from the digital certificates used for the SSL connection between i5/OS and Windows.

Secure Sockets Layer (SSL) connection between i5/OS and Windows
The Windows environment on iSeries includes user enrollment and remote command submission functions, which may transfer sensitive data over the point to point virtual Ethernet. These applications automatically set up an SSL connection to encrypt their sensitive network traffic, and to ensure that each side of the conversation is authentic, based on automatically installed digital certificates. These certificates are distinct from the digital certificates used for service processor SSL. This security feature is provided by default and is not configurable. File data, command results, and traffic for other applications are not protected by this SSL connection.

Challenge Handshake Authentication Protocol (CHAP)
CHAP protects against the possibility of an unauthorized system using an authorized system's iSCSI name to access storage. CHAP does not encrypt network traffic, but rather limits which system can access an i5/OS storage path.

CHAP involves configuring a secret that both i5/OS and the hosted system must know. Short CHAP secrets may be exposed if the CHAP packet exchange is recorded with a LAN sniffer and analyzed offline. The CHAP secret should be random and long enough to make this method of attack impractical. i5/OS can generate an appropriate secret. A hosted system uses the same CHAP secret to access all of its configured i5/OS storage paths.

CHAP is not enabled by default, but it is strongly recommended.

IP Security (IPSec)
IPSec encrypts storage and virtual Ethernet traffic on the iSCSI network. A related protocol, Internet Key Exchange (IKE), ensures that the communicating IP endpoints are authentic.

Two conditions are required to enable IPSec:

  1. Both the iSeries and hosted system must have special iSCSI HBAs with high-speed IPSec support.
  2. You must configure a pre-shared key. i5/OS can generate appropriate pre-shared keys. If multiple iSCSI HBAs are involved in the iSeries or hosted system, you can assign different pre-shared keys to different IP address pairs. All other details of IPSec and IKE are handled automatically. IPSec support in i5/OS TCP/IP and Windows TCP/IP are not involved.

IPSec HBAs provide a filter function that blocks communication with IP addresses that are not configured. IPSec HBAs perform this filtering even if IPSec encryption is not enabled by supplying a pre-shared key.

When used for virtual Ethernet, IPSec is not applied directly to the virtual Ethernet endpoints, but rather to the iSCSI HBAs that form the tunnel through the iSCSI network. Consequently, when multiple iSCSI attached Windows servers communicate with each other over virtual Ethernet, each server's IPSec configuration is independent of the others. For example, it is possible for a server to enable IPSec and communicate with other Windows servers that are using physical security instead of IPSec. Servers do not have to use the same IPSec pre-shared key to communicate with each other.

Firewalls
A firewall can be used between a shared network and the iSeries server to protect the iSeries from unwanted network traffic. Similarly, a firewall can be used between a shared network and a hosted system to protect the hosted system from unwanted network traffic.

iSCSI attached system traffic has the following attributes that should be helpful when configuring a firewall:

IPSec HBAs provide a firewall-like function that blocks communication with IP addresses that are not configured, even if IPSec is not enabled by supplying a pre-shared key.

Network isolation and physical security
Network isolation minimizes the risk of data being accessed by unauthorized devices and data being modified as it traverses the network. You can create an isolated network by using a dedicated Ethernet switch or a dedicated virtual local area network (VLAN) on a physical VLAN switch/network. When configuring a VLAN switch, treat an iSCSI HBA that is installed in your iSeries server as a VLAN-unaware device.

Physical security involves physical barriers that limit access to the network equipment and the network endpoints at some level (locked rack enclosures, locked rooms, locked buildings, and so on.).

End of change