Once upon a time, Communication Security Assurance Technology had nothing to do with storage products. Anyone who mentions the communication security of the storage channel will be ridiculed. Yes. Have you ever seen a hacker break the system from a SCSI connection?
However, when it comes to iSCSI, the situation is completely different. The iSCSI connection channel is Ethernet, which is the compound of hackers. If anyone comes in, they must consider security issues. This is more important than carrying a safety helmet into the construction site, because the probability of being targeted by hackers on the Internet is much higher than the probability of being photographed by bricks on the construction site. If you don't believe it, you can try it. You won't be able to wait for three days in the construction site to wait for a tile to fall from the sky. However, removing Windows security protection from the Internet ensures that you collect several "valuable" Backdoor programs within three hours. If you are lucky, your user password may have been changed N times, and the address book may have been copied back to M.
As the Internet is so dangerous, The iSCSI security test can be imagined.
Fortunately, the IETF and SNIA's IP Storage working groups had early guard against this issue and fully considered communication security issues at the beginning of the iSCSI standard. According to the snia ip Storage Workgroup, there are five levels of iSCSI protection.
I. No security protection
Let's just take a look at it!
The simplest iSCSI implementation method is that there is no connection between encryption and authentication mechanisms. This method only provides the basic function of transferring SCSI commands over TCP/IP protocol. Any host connected to the network can be connected to the iSCSI storage device without hindrance.
This method is obviously incapable of preventing any danger. However, this method also has an obvious advantage, that is, performance. Without authentication and encryption, it naturally saves a lot of extra costs. If you need your iSCSI disk array to work at full speed, this method is undoubtedly the best choice. If Liu Xiang took his helmet and put on bulletproof vests to participate in the Olympic Games, he would not be able to win the first place.
Of course, when selecting this method, the network switch used to connect to the iSCSI disk array is preferably isolated from the outside world. In this way, security issues are not so prominent. If you don't have a security helmet, stay away from the construction site. You 'd better stay at your home. Although the incidents of opening bricks and tiles may also occur, they are much safer than they are around the construction site.
2. iSCSI Initiator and Target communication Authentication
This method is used at both ends of iSCSI communication. Initiator is the host and Target is the disk array. Currently, iSCSI products on the market generally support CHAP, SRP, Kerberos, SPKM, and other authentication methods in the product introduction. These are all "security helmets ". These seemingly strange abbreviations correspond to the very mature and widely used authentication and protection technologies in traditional networks.
Like traditional network authentication technologies, their significance lies in preventing unauthorized user access.
I remember that when I was working as a network administrator, I used to "take advantage of my authority" to create convenience for my colleagues with good relationships. I allow them to use larger server space and nearby printers originally prepared for leaders. One of my colleagues turned to my favorite girl. I was so angry that I deleted his account on all the printed servers and forced him to run to the end of the corridor with a computer, use the only old-fashioned printer that is not connected to the server.
In iSCSI technology, the printing server is converted into an iSCSI disk array. If you want to use a disk array, you must first have the permission to access the disk array, and then pass those seven to eight authentication during access. To prevent impersonation, encryption technology is also used in the authentication process.
In short, if the Administrator does not want you to use it, you cannot use it even though the network cable is connected. In computer terms, iSCSI Target only establishes a connection with the authorized Initiator.
Of course, the administrator who sets permissions is also an important part of security. Fortunately, there are many good people in the world. In fact, I also turned my back to evil, because the girl married my colleague without hesitation after discovering my bad behavior. It is worth reflecting on!
Iii. IP firewall and VPN
With user authentication, the situation is certainly better. However, in actual applications, vulnerabilities are inevitable. I believe that setting a blank password will cause headaches for many administrators. I had a headache when I was an administrator. Many colleagues think that passwords are hard to remember. Leave them blank or set them to 111111. This type of password is really worrying. hackers with a little patience can try it out manually. What's more, various dictionary attack programs are everywhere.
The same is true for iSCSI disk arrays. If user authentication alone cannot solve the problem, you need to build a firewall between the Intranet and the Internet by referring to the traditional IP network method, and block the "Testers" who have full energy and patience ". If the iSCSI disk array (Target) and the host (Initiator) need to be connected across the WAN, it is best to connect the two with a VPN.
In short, it is an aim to prevent iSCSI disk arrays from using public IP addresses. In this way, the beacon that shines on the Internet (Security Vulnerability sniffer) will not be able to shine here.
Iv. non-answer Technology
Generally, with the firewall and VPN, coupled with the user authentication mechanism, the data in the disk array is basically safe, unless you encounter a master familiar with various Protocol formats.
This kind of ambition exists in real life, and there are more than you think. I have met some senior R & D engineers from routers and vswitch manufacturers. They can intercept an IP packet when talking about it, and open it when looking for a bag. At this time, your username, password, address, height, weight, bank account, girlfriend name, and other important information are all at a glance.
When I first saw this situation, I couldn't help but breathe a sigh of relief, and vowed to practice it. Later, after several days of hard work, I finally learned some vague means. It turns out that data packets transmitted over the network can be intercepted, inserted, modified, and deleted. Relying on these methods, network experts who have a bad conscience can impersonate legitimate hosts through the firewall and do some shameless work.
What should we do if this happens to our iSCSI Device? It doesn't matter. One of the major advantages of iSCSI technology is that it stands on the shoulders of giants. This giant is a long-established Ethernet technology. The non-answer Technology in Ethernet technology is specifically used by attackers like each other.
5. IPsec Encryption
The adoption of non-response technology is nearly the ninth most serious. If user authentication is a good security helmet, non-response technology should be regarded as a 90-type tank with full armor. However, the security topic is a high level. Although the bricks cannot be moved to the tank, the anti-tank shell is another thing.
Is there any stronger defense than the anti-response technology? Of course, you can find it from the Ethernet technology. IPsec Encryption can be considered as one. IPsec not only prevents attackers from modifying network data packets, but also prevents data packets from being intercepted. Or, to be accurate, the intercepted data packets do not make any sense.
This is like two deaf people falling in love. You can't hear anything from the wall. At most, there are some meaningless "cool and cool" that cannot be interpreted at all.
The last two points are as follows:
First, the relationship between safety and performance is the relationship between the fish and the bear's paw. Users should find a balance between security and performance, and should not emphasize either of them too much.
Second, there is no absolute security. The definition of "security" in the network field is ...... I forgot, probably it means that if the cost of the attack protection process is higher than the benefits obtained after the attack, the system is safe.