ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahq_5.4.0.1/rzahqisciattached.htm

156 lines
9.6 KiB
HTML

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Security for iSCSI attached systems</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<img src="delta.gif" alt="Start of change" />
<a name="rzahqisciattached"></a>
<h3 id="rzahqisciattached">Security for iSCSI attached systems</h3>
<p>iSCSI technology leverages the low cost and familiarity of Ethernet and
IP networking. The flexibility of Ethernet and IP networking allows iSCSI
attached systems to share hardware, extend the range, and increase bandwidth
by adding hardware. However, this familiarity and flexibility leads to a requirement
for appropriate network security.</p>
<p>Each of the different types of networks used by iSCSI attached systems
has its own security considerations.</p>
<p><span class="bold">Service processor connection security
<br /></span>Service
processor security can involve one or more of the following mechanisms.</p>
<ul>
<li>Service processor password</li>
<li>Secure Sockets Layer (SSL)</li>
<li>Network isolation and physical security</li></ul>
<p><span class="bold">iSCSI network security</span>
<br />There are two types
of iSCSI network traffic to consider.</p>
<ul>
<li>Storage security can involve one or more of the following mechanisms.
<ul>
<li>Challenge Handshake Authentication Protocol (CHAP)</li>
<li>IP Security (IPSec)</li>
<li>Firewalls</li>
<li>Network isolation, physical security, and security gateways</li></ul></li>
<li>Virtual Ethernet security can involve one or more of the following mechanisms.
<ul>
<li>IP Security (IPSec)</li>
<li>Firewalls</li>
<li>Network isolation, physical security, and security gateways</li>
<li>In addition, when user enrollment or remote command submission send sensitive
data over the point to point virtual Ethernet, these applications use a Secure
Sockets Layer (SSL) connection between i5/OS&trade; and Windows. For more information about
user enrollment, see <a href="rzahqusrmgmtcpts.htm#rzahqusrmgmtcpts">User and group concepts</a>.</li></ul></li></ul>
<p><span class="bold">Service processor password</span>
<br />This password
is managed by i5/OS and is used when your iSeries&trade; server starts a conversation with the
hosted system's service processor. The service processor checks the password
to ensure that the i5/OS configuration is authentic. New service processors
have a default name and password. i5/OS provides a way to change the password.</p>
<p><span class="bold">Service processor Secure Sockets Layer (SSL)</span>
<br />You
can enable this type of SSL only if you have the appropriate type of service
processor hardware. If enabled, SSL encrypts traffic on the service processor
connection and ensures that the service processor is authentic. Authentication
is based on a digital certificate from the service processor that is installed
in i5/OS either manually or automatically. This certificate is distinct
from the digital certificates used for the SSL connection between i5/OS and Windows.</p>
<p><span class="bold">Secure Sockets Layer (SSL) connection between i5/OS and Windows</span>
<br />The Windows environment on iSeries includes user enrollment and remote
command submission functions, which may transfer sensitive data over the point
to point virtual Ethernet. These applications automatically set up an SSL
connection to encrypt their sensitive network traffic, and to ensure that
each side of the conversation is authentic, based on automatically installed
digital certificates. These certificates are distinct from the digital certificates
used for service processor SSL. This security feature is provided by default
and is not configurable. File data, command results, and traffic for other
applications are not protected by this SSL connection.</p>
<p><span class="bold">Challenge Handshake Authentication Protocol (CHAP)</span>
<br />CHAP
protects against the possibility of an unauthorized system using an authorized
system's iSCSI name to access storage. CHAP does not encrypt network
traffic, but rather limits which system can access an i5/OS storage path.</p>
<p>CHAP involves configuring a secret that both i5/OS and the hosted system must know. Short
CHAP secrets may be exposed if the CHAP packet exchange is recorded with a
LAN sniffer and analyzed offline. The CHAP secret should be random and long
enough to make this method of attack impractical. i5/OS can generate an appropriate secret.
A hosted system uses the same CHAP secret to access all of its configured i5/OS storage paths.</p>
<p>CHAP is not enabled by default, but it is strongly recommended.</p>
<p><span class="bold">IP Security (IPSec)</span>
<br />IPSec encrypts storage
and virtual Ethernet traffic on the iSCSI network. A related protocol, Internet
Key Exchange (IKE), ensures that the communicating IP endpoints are authentic.</p>
<p>Two conditions are required to enable IPSec:</p>
<ol type="1">
<li>Both the iSeries and hosted system must have special iSCSI HBAs
with high-speed IPSec support.</li>
<li>You must configure a pre-shared key. i5/OS can generate appropriate pre-shared keys.
If multiple iSCSI HBAs are involved in the iSeries or hosted system, you can assign different
pre-shared keys to different IP address pairs. All other details of IPSec
and IKE are handled automatically. IPSec support in i5/OS TCP/IP and
Windows TCP/IP are not involved.</li></ol>
<p>IPSec HBAs provide a filter function that blocks communication with IP
addresses that are not configured. IPSec HBAs perform this filtering even
if IPSec encryption is not enabled by supplying a pre-shared key.</p>
<p>When used for virtual Ethernet, IPSec is not applied directly to the virtual
Ethernet endpoints, but rather to the iSCSI HBAs that form the tunnel through
the iSCSI network. Consequently, when multiple iSCSI attached Windows servers
communicate with each other over virtual Ethernet, each server's IPSec
configuration is independent of the others. For example, it is possible for
a server to enable IPSec and communicate with other Windows servers that are
using physical security instead of IPSec. Servers do not have to use the same
IPSec pre-shared key to communicate with each other.</p>
<p><span class="bold">Firewalls</span>
<br />A firewall can be used between
a shared network and the iSeries server to protect the iSeries from unwanted
network traffic. Similarly, a firewall can be used between a shared network
and a hosted system to protect the hosted system from unwanted network traffic.</p>
<p>iSCSI attached system traffic has the following attributes that should
be helpful when configuring a firewall:</p>
<ul>
<li>iSCSI HBAs have static IP addresses (there is a DHCP boot mode, but the
IP addresses involved are actually statically pre-configured)</li>
<li>UDP and TCP ports that are deterministic and configurable. Each virtual
Ethernet adapter on the hosted system uses a different UDP port to tunnel
through the iSCSI network. Virtual Ethernet packets are encapsulated as follows,
from outer header to inner header:
<ul>
<li>MAC and IP header for the iSCSI HBA using LAN (not SCSI) addresses.</li>
<li>UDP header. See <a href="rzahqconffirewall.htm#rzahqconffirewall">Configure a firewall</a> for information about
optionally controlling UDP port selection.</li>
<li>MAC and IP headers for the virtual Ethernet adapter.</li></ul></li></ul>
<p>IPSec HBAs provide a firewall-like function that blocks communication with
IP addresses that are not configured, even if IPSec is not enabled by supplying
a pre-shared key.</p>
<p><span class="bold">Network isolation and physical security</span>
<br />Network
isolation minimizes the risk of data being accessed by unauthorized devices
and data being modified as it traverses the network. You can create an isolated
network by using a dedicated Ethernet switch or a dedicated virtual local
area network (VLAN) on a physical VLAN switch/network. When configuring a
VLAN switch, treat an iSCSI HBA that is installed in your iSeries server as
a VLAN-unaware device.</p>
<p>Physical security involves physical barriers that limit access to the network
equipment and the network endpoints at some level (locked rack enclosures,
locked rooms, locked buildings, and so on.).</p><img src="deltaend.gif" alt="End of change" />
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>