Five methods to protect your iSCSI Storage System

Www.2cto.com Editor: can be combined with this article to see: http://www.bkjia.com/Article/201007/52094.html

How can we block network hackers out of the door of the iSCSI SAN system? Five solutions are recommended in this article. Note that, although these methods can maintain the security of the ip san system, they both have some advantages and disadvantages. It is recommended that you carefully consider the implementation. If used properly, the security performance of the storage network can be greatly improved.

1. Make Rational Use of the access control table (ACL)

The network administrator can set an access control table to restrict the permissions of data files in the ip san system to different visitors. Currently, most mainstream storage systems on the market support IP address-Based Access Control tables. However, a slightly more powerful hacker can easily crack this security line of defense. Another method is to use the initiator name Of The iSCSI client ).

Similar to the global NAME (WWN) of the Optical Fiber System and the globally unified 64-bit unsigned NAME identifier (MAC) Address of the Ethernet, the initiator name refers to the globally unique name identifier assigned to each iSCSI host bus adapter (HBA) or software initiator.

However, it has the same disadvantages as WWN and MAC addresses, and is easy to uniform, especially for software-based iSCSI drives. Like the logical unit shielding (LUN masking) technology of the optical fiber system, the access control table is designed to isolate the storage resources of the client, rather than build a powerful security defense.

2. Use industry-standard user authentication mechanism

Identity Authentication protocols such as the query-Handshake Authentication Protocol (CHAP) will be used to identify the user by matching the user name and login password. The password does not need to be transmitted in plain text on the network, thus avoiding packet loss and interception. Therefore, this protocol has won the trust of many network administrators. However, it is worth mentioning that these passwords must be stored on the terminal of the connection node, and sometimes stored in plain text files. Remote Authentication (Remote Authentication Dial-In User Service, RADIUS) protocol can transfer the password from the iSCSI target device to the central authorization server, perform terminal authentication, authorization, and Statistics. Even so, network hackers can still use pseudo-settings to intrude into the client.

3. Protect the Management Interface

By analyzing the cases of enterprise-level optical fiber system attacks over the past years, we can draw an important conclusion: it is extremely necessary to protect the management interface of storage devices. No matter how strict SAN protection is, network hackers can use only one management application to re-allocate the assignment of storage, change, steal or even destroy data files. Therefore, you should isolate the management interface from a secure LAN and set a complicated logon password to protect the administrator account. Check with the storage product vendors, the default backdoor account does not use a common Anonymous Logon password. Role-based security technology and activity account mechanism are both very effective anti-detection tools. If your existing storage system supports these technologies, we recommend that you use them.

4. encrypt data packets transmitted over the network

IP security (IPsec) is a standard protocol used to encrypt and verify IP information packets. IPSec provides two encrypted communication methods: ① IPSec Tunnel: The entire IP address is encapsulated in an IPSec packet to provide communication between the IPSec-gateway; ② IPSec Transport: the data in the IP packet is encrypted, use the original source address and destination address. In Transport mode, only the data part of each information package (I .e., the payload) can be encrypted without any processing of the file header. In Tunnel mode, the data part of the information package and the file header are encrypted together, without modifying the configured devices and applications, network hackers cannot see the actual communication source address and destination address, and can provide a channel for encrypted transmission over the Internet through a dedicated network.

Therefore, most users choose Tunnel mode. You need to set up a decryption device on the receiving end that supports the IPsec protocol to decrypt the encapsulated information package. Remember, if the receiving end and the sending end do not share a single key, the IPsec protocol will not work. To ensure network security, the storage and supply team recommends that you use the IPsec protocol to encrypt all transmitted data in the iSCSI system. However, although IPsec is a powerful security protection technology, it seriously interferes with the performance of the network system. In view of this, use IPsec software as little as possible if not necessary.

5. Encrypt idle data

It is also necessary to encrypt the data stored on the disk. The problem is, should the encryption task be completed on a client (such as an encrypted file system), a network (such as an encryption solution), or a storage system? Many users tend to be the first choice? D? D. Most enterprise-level operating systems (including Windows and Linux) are embedded with powerful file system-based encryption technologies. In addition, encryption is implemented before data is transmitted to the network, it can ensure that it is encrypted during online upload and transmission. Of course, if the implementation of encryption significantly increases the CPU load, you can consider putting the encryption task into the network? D? D or is it sent to an encrypted device based on a disk array? D? D to handle, but the effect will be a little worse, some protection shielding may be ineffective. Note that you must keep your key safe. Otherwise, you may not be able to access the encrypted data yourself.