CS526_Semester_Project_Presentation_James_Hughes_5-03
Download
Report
Transcript CS526_Semester_Project_Presentation_James_Hughes_5-03
Securing iSCSI for Data Backup and
Disaster Recovery
JAMES HUGHES
CS526
5/03/05
James W. Hughes
1
Overview
Introduction / Motivation
Brief Overview of iSCSI
Strategies for Securing iSCSI
Conclusion
References
CS526
5/03/05
James W. Hughes
2
Introduction / Motivation
Learn About A New Technologies
Attempt To Pass It On
Brief Backup and Disaster Recovery
Scenario
CS526
5/03/05
James W. Hughes
3
Brief Overview of iSCSI
• iSCSI Protocol
• Protocol Data Units
• Encapsulation of iSCSI PDU
CS526
5/03/05
James W. Hughes
4
Strategies for Securing iSCSI
•
•
•
•
•
Access Control Lists (ACLs)
Strong Authentication Schemes
Secure Management Interfaces
Encrypt Exposed Network Traffic
Encrypt Data at Rest
CS526
5/03/05
James W. Hughes
8
Conclusion
• iSCSI is an Alternative to Fiber Channel
• Overview of iSCSI Protocol
• Strategies to Securing iSCSI
CS526
5/03/05
James W. Hughes
14
Questions
CS526
5/03/05
James W. Hughes
15
References
• Hewlet Packard, (2005). iSCSI Overview.
– Power Point Presentation
• Foskett, S., (07 Apr 2005), Five ways to secure iSCSI,
http://searchstorage.techtarget.com/tip/1,289483,sid5_gc
i1076436,00.html
• Harwood, M., (27 Jan 2004), Storage Basics: Securing
iSCSI using IPSec,
http://www.enterprisestorageforum.com/ipstorage/feature
s/article.php/11567_3304621_1
• Network Sorcery, (n.d.), CHAP, Challenge Handshake
Authentication Protocol,
http://www.networksorcery.com/enp/protocol/CHAP.htm
CS526
5/03/05
James W. Hughes
16
Access Control Lists (ACLs)
• Implementations:
– IP Address
– Initiator Name
– MAC Address
• Provides of a means of dividing storage
resources among clients.
• Not a strong security method.
Back to Strategies
for Securing iSCSI
CS526
5/03/05
James W. Hughes
9
Strong Authentication Schemes
• Challenge Handshake Authentication Protocol
(CHAP)
– Two way Authentication
– Protects against Playback Attacks
• Remote Authentication Dial-In User Service
(RADIUS)
• Drawback: Passwords must be stored on both sides
•
RADIUS service can be difficult to configure
Back to Strategies
for Securing iSCSI
CS526
5/03/05
James W. Hughes
10
Secure Management Interfaces
• Lesson Learned From Fiber Channel
– Limit Usage
– Enforce Strong Passwords
– Verify Vendor Accounts Removed or Disabled
Back to Strategies
for Securing iSCSI
CS526
5/03/05
James W. Hughes
11
Encrypt Exposed Network Traffic
• IP security (IPsec)
Authentication Headers (AH)
Authentication: Kerberos v5, Public Key Certificates
(PKIs), and Preshared keys
Integrity: Message Digest 5 (MD5) and Secure Hash
Algorithm 1 (SHA1)
Encapsulating Security Payloads (ESP)
Data Encryption Standard (40-bit)
Data Encryption Standard (56-bit)
Triple DES (3DES) (168-bit)
Back to Strategies
for Securing iSCSI
CS526
5/03/05
James W. Hughes
12
Encrypt Data at Rest
• Full Disk Encryption
• Security Appliances
• Backup Tape Encryption
Back to Strategies
for Securing iSCSI
CS526
5/03/05
James W. Hughes
13
iSCSI Protocol
• A transport protocol for SCSI that operates over
TCP/IP
host SCSI command set
iSCSI
FCP
TCP
Parallel Bus
IP
Fibre Channel
Back to iSCSI
Overview
Ethernet
CS526
5/03/05
James W. Hughes
5
Protocol Data Units
• Consist of SCSI commands, data, and
responses for TCP handling
Protocol Data Unit
(PDU)
iSCSI
Header
Back to iSCSI
Overview
iSCSI
Data
CS526
5/03/05
James W. Hughes
6
Encapsulation of iSCSI PDU
dest
MAC
src
MAC
Ether
type
6 bytes
6 bytes
2 bytes
Back to iSCSI
Overview
data
IP
TCP
iSCSI PDU
46 to 1500 bytes
FCS
(CRC)
4 bytes
CS526
5/03/05
James W. Hughes
7
Scenario
Back to iSCSI
Overview
CS526
5/03/05
James W. Hughes
17