iSCSI technology leverages the low cost and familiarity of Ethernet and IP networking. The flexibility of Ethernet and IP networking allows iSCSI attached systems to share hardware, extend the range, and increase bandwidth by adding hardware. However, this familiarity and flexibility leads to a requirement for appropriate network security.
Each of the different types of networks used by iSCSI attached systems has its own security considerations.
Service processor connection security
Service
processor security can involve one or more of the following mechanisms.
iSCSI network security
There are two types
of iSCSI network traffic to consider.
Service processor password
This password
is managed by i5/OS and is used when your iSeries™ server starts a conversation with the
hosted system's service processor. The service processor checks the password
to ensure that the i5/OS configuration is authentic. New service processors
have a default name and password. i5/OS provides a way to change the password.
Service processor Secure Sockets Layer (SSL)
You
can enable this type of SSL only if you have the appropriate type of service
processor hardware. If enabled, SSL encrypts traffic on the service processor
connection and ensures that the service processor is authentic. Authentication
is based on a digital certificate from the service processor that is installed
in i5/OS either manually or automatically. This certificate is distinct
from the digital certificates used for the SSL connection between i5/OS and Windows.
Secure Sockets Layer (SSL) connection between i5/OS and Windows
The Windows environment on iSeries includes user enrollment and remote
command submission functions, which may transfer sensitive data over the point
to point virtual Ethernet. These applications automatically set up an SSL
connection to encrypt their sensitive network traffic, and to ensure that
each side of the conversation is authentic, based on automatically installed
digital certificates. These certificates are distinct from the digital certificates
used for service processor SSL. This security feature is provided by default
and is not configurable. File data, command results, and traffic for other
applications are not protected by this SSL connection.
Challenge Handshake Authentication Protocol (CHAP)
CHAP
protects against the possibility of an unauthorized system using an authorized
system's iSCSI name to access storage. CHAP does not encrypt network
traffic, but rather limits which system can access an i5/OS storage path.
CHAP involves configuring a secret that both i5/OS and the hosted system must know. Short CHAP secrets may be exposed if the CHAP packet exchange is recorded with a LAN sniffer and analyzed offline. The CHAP secret should be random and long enough to make this method of attack impractical. i5/OS can generate an appropriate secret. A hosted system uses the same CHAP secret to access all of its configured i5/OS storage paths.
CHAP is not enabled by default, but it is strongly recommended.
IP Security (IPSec)
IPSec encrypts storage
and virtual Ethernet traffic on the iSCSI network. A related protocol, Internet
Key Exchange (IKE), ensures that the communicating IP endpoints are authentic.
Two conditions are required to enable IPSec:
IPSec HBAs provide a filter function that blocks communication with IP addresses that are not configured. IPSec HBAs perform this filtering even if IPSec encryption is not enabled by supplying a pre-shared key.
When used for virtual Ethernet, IPSec is not applied directly to the virtual Ethernet endpoints, but rather to the iSCSI HBAs that form the tunnel through the iSCSI network. Consequently, when multiple iSCSI attached Windows servers communicate with each other over virtual Ethernet, each server's IPSec configuration is independent of the others. For example, it is possible for a server to enable IPSec and communicate with other Windows servers that are using physical security instead of IPSec. Servers do not have to use the same IPSec pre-shared key to communicate with each other.
Firewalls
A firewall can be used between
a shared network and the iSeries server to protect the iSeries from unwanted
network traffic. Similarly, a firewall can be used between a shared network
and a hosted system to protect the hosted system from unwanted network traffic.
iSCSI attached system traffic has the following attributes that should be helpful when configuring a firewall:
IPSec HBAs provide a firewall-like function that blocks communication with IP addresses that are not configured, even if IPSec is not enabled by supplying a pre-shared key.
Network isolation and physical security
Network
isolation minimizes the risk of data being accessed by unauthorized devices
and data being modified as it traverses the network. You can create an isolated
network by using a dedicated Ethernet switch or a dedicated virtual local
area network (VLAN) on a physical VLAN switch/network. When configuring a
VLAN switch, treat an iSCSI HBA that is installed in your iSeries server as
a VLAN-unaware device.
Physical security involves physical barriers that limit access to the network equipment and the network endpoints at some level (locked rack enclosures, locked rooms, locked buildings, and so on.).