156 lines
9.6 KiB
HTML
156 lines
9.6 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow"/>
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<title>Security for iSCSI attached systems</title>
|
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
|
</head>
|
|
<body>
|
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
|
|
|
<img src="delta.gif" alt="Start of change" />
|
|
<a name="rzahqisciattached"></a>
|
|
<h3 id="rzahqisciattached">Security for iSCSI attached systems</h3>
|
|
<p>iSCSI technology leverages the low cost and familiarity of Ethernet and
|
|
IP networking. The flexibility of Ethernet and IP networking allows iSCSI
|
|
attached systems to share hardware, extend the range, and increase bandwidth
|
|
by adding hardware. However, this familiarity and flexibility leads to a requirement
|
|
for appropriate network security.</p>
|
|
<p>Each of the different types of networks used by iSCSI attached systems
|
|
has its own security considerations.</p>
|
|
<p><span class="bold">Service processor connection security
|
|
<br /></span>Service
|
|
processor security can involve one or more of the following mechanisms.</p>
|
|
<ul>
|
|
<li>Service processor password</li>
|
|
<li>Secure Sockets Layer (SSL)</li>
|
|
<li>Network isolation and physical security</li></ul>
|
|
<p><span class="bold">iSCSI network security</span>
|
|
<br />There are two types
|
|
of iSCSI network traffic to consider.</p>
|
|
<ul>
|
|
<li>Storage security can involve one or more of the following mechanisms.
|
|
<ul>
|
|
<li>Challenge Handshake Authentication Protocol (CHAP)</li>
|
|
<li>IP Security (IPSec)</li>
|
|
<li>Firewalls</li>
|
|
<li>Network isolation, physical security, and security gateways</li></ul></li>
|
|
<li>Virtual Ethernet security can involve one or more of the following mechanisms.
|
|
<ul>
|
|
<li>IP Security (IPSec)</li>
|
|
<li>Firewalls</li>
|
|
<li>Network isolation, physical security, and security gateways</li>
|
|
<li>In addition, when user enrollment or remote command submission send sensitive
|
|
data over the point to point virtual Ethernet, these applications use a Secure
|
|
Sockets Layer (SSL) connection between i5/OS™ and Windows. For more information about
|
|
user enrollment, see <a href="rzahqusrmgmtcpts.htm#rzahqusrmgmtcpts">User and group concepts</a>.</li></ul></li></ul>
|
|
<p><span class="bold">Service processor password</span>
|
|
<br />This password
|
|
is managed by i5/OS and is used when your iSeries™ server starts a conversation with the
|
|
hosted system's service processor. The service processor checks the password
|
|
to ensure that the i5/OS configuration is authentic. New service processors
|
|
have a default name and password. i5/OS provides a way to change the password.</p>
|
|
<p><span class="bold">Service processor Secure Sockets Layer (SSL)</span>
|
|
<br />You
|
|
can enable this type of SSL only if you have the appropriate type of service
|
|
processor hardware. If enabled, SSL encrypts traffic on the service processor
|
|
connection and ensures that the service processor is authentic. Authentication
|
|
is based on a digital certificate from the service processor that is installed
|
|
in i5/OS either manually or automatically. This certificate is distinct
|
|
from the digital certificates used for the SSL connection between i5/OS and Windows.</p>
|
|
<p><span class="bold">Secure Sockets Layer (SSL) connection between i5/OS and Windows</span>
|
|
<br />The Windows environment on iSeries includes user enrollment and remote
|
|
command submission functions, which may transfer sensitive data over the point
|
|
to point virtual Ethernet. These applications automatically set up an SSL
|
|
connection to encrypt their sensitive network traffic, and to ensure that
|
|
each side of the conversation is authentic, based on automatically installed
|
|
digital certificates. These certificates are distinct from the digital certificates
|
|
used for service processor SSL. This security feature is provided by default
|
|
and is not configurable. File data, command results, and traffic for other
|
|
applications are not protected by this SSL connection.</p>
|
|
<p><span class="bold">Challenge Handshake Authentication Protocol (CHAP)</span>
|
|
<br />CHAP
|
|
protects against the possibility of an unauthorized system using an authorized
|
|
system's iSCSI name to access storage. CHAP does not encrypt network
|
|
traffic, but rather limits which system can access an i5/OS storage path.</p>
|
|
<p>CHAP involves configuring a secret that both i5/OS and the hosted system must know. Short
|
|
CHAP secrets may be exposed if the CHAP packet exchange is recorded with a
|
|
LAN sniffer and analyzed offline. The CHAP secret should be random and long
|
|
enough to make this method of attack impractical. i5/OS can generate an appropriate secret.
|
|
A hosted system uses the same CHAP secret to access all of its configured i5/OS storage paths.</p>
|
|
<p>CHAP is not enabled by default, but it is strongly recommended.</p>
|
|
<p><span class="bold">IP Security (IPSec)</span>
|
|
<br />IPSec encrypts storage
|
|
and virtual Ethernet traffic on the iSCSI network. A related protocol, Internet
|
|
Key Exchange (IKE), ensures that the communicating IP endpoints are authentic.</p>
|
|
<p>Two conditions are required to enable IPSec:</p>
|
|
<ol type="1">
|
|
<li>Both the iSeries and hosted system must have special iSCSI HBAs
|
|
with high-speed IPSec support.</li>
|
|
<li>You must configure a pre-shared key. i5/OS can generate appropriate pre-shared keys.
|
|
If multiple iSCSI HBAs are involved in the iSeries or hosted system, you can assign different
|
|
pre-shared keys to different IP address pairs. All other details of IPSec
|
|
and IKE are handled automatically. IPSec support in i5/OS TCP/IP and
|
|
Windows TCP/IP are not involved.</li></ol>
|
|
<p>IPSec HBAs provide a filter function that blocks communication with IP
|
|
addresses that are not configured. IPSec HBAs perform this filtering even
|
|
if IPSec encryption is not enabled by supplying a pre-shared key.</p>
|
|
<p>When used for virtual Ethernet, IPSec is not applied directly to the virtual
|
|
Ethernet endpoints, but rather to the iSCSI HBAs that form the tunnel through
|
|
the iSCSI network. Consequently, when multiple iSCSI attached Windows servers
|
|
communicate with each other over virtual Ethernet, each server's IPSec
|
|
configuration is independent of the others. For example, it is possible for
|
|
a server to enable IPSec and communicate with other Windows servers that are
|
|
using physical security instead of IPSec. Servers do not have to use the same
|
|
IPSec pre-shared key to communicate with each other.</p>
|
|
<p><span class="bold">Firewalls</span>
|
|
<br />A firewall can be used between
|
|
a shared network and the iSeries server to protect the iSeries from unwanted
|
|
network traffic. Similarly, a firewall can be used between a shared network
|
|
and a hosted system to protect the hosted system from unwanted network traffic.</p>
|
|
<p>iSCSI attached system traffic has the following attributes that should
|
|
be helpful when configuring a firewall:</p>
|
|
<ul>
|
|
<li>iSCSI HBAs have static IP addresses (there is a DHCP boot mode, but the
|
|
IP addresses involved are actually statically pre-configured)</li>
|
|
<li>UDP and TCP ports that are deterministic and configurable. Each virtual
|
|
Ethernet adapter on the hosted system uses a different UDP port to tunnel
|
|
through the iSCSI network. Virtual Ethernet packets are encapsulated as follows,
|
|
from outer header to inner header:
|
|
<ul>
|
|
<li>MAC and IP header for the iSCSI HBA using LAN (not SCSI) addresses.</li>
|
|
<li>UDP header. See <a href="rzahqconffirewall.htm#rzahqconffirewall">Configure a firewall</a> for information about
|
|
optionally controlling UDP port selection.</li>
|
|
<li>MAC and IP headers for the virtual Ethernet adapter.</li></ul></li></ul>
|
|
<p>IPSec HBAs provide a firewall-like function that blocks communication with
|
|
IP addresses that are not configured, even if IPSec is not enabled by supplying
|
|
a pre-shared key.</p>
|
|
<p><span class="bold">Network isolation and physical security</span>
|
|
<br />Network
|
|
isolation minimizes the risk of data being accessed by unauthorized devices
|
|
and data being modified as it traverses the network. You can create an isolated
|
|
network by using a dedicated Ethernet switch or a dedicated virtual local
|
|
area network (VLAN) on a physical VLAN switch/network. When configuring a
|
|
VLAN switch, treat an iSCSI HBA that is installed in your iSeries server as
|
|
a VLAN-unaware device.</p>
|
|
<p>Physical security involves physical barriers that limit access to the network
|
|
equipment and the network endpoints at some level (locked rack enclosures,
|
|
locked rooms, locked buildings, and so on.).</p><img src="deltaend.gif" alt="End of change" />
|
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
|
</body>
|
|
</html>
|