iSCSI Security and Error Detection
Authentication
Authentication verifies that the initiator and target are who they claim to be. SANsymphony software uses CHAP as the authentication protocol.
Two types of authentication are supported:
-
one way authentication where the target authenticates the initiator.
-
mutual authentication where the target and initiator authenticate each other.
Mutual Authentication
Mutual authentication provides a higher level of security and is recommended in most environments. Mutual authentication uses CHAP to ensure that both the initiator and target ports are who they claim to be. Two sets of user names and shared secrets are required. The initiator must have the secret assigned first.
CHAP
A Challenge-Response Authentication Protocol (CHAP) for Point-to-Point Protocol (PPP) connections is described in RFC 1994. It uses the industry-standard MD5 hashing algorithm to hash the combination of a challenge string issued by the authenticating server and the user’s password in the response.
CHAP settings can be configured on a per-initiator basis by changing the properties associated with the relevant target port in iSCSI Manager. This process is simplified if an iSNS server is used to maintain a list of initiators.
To set CHAP secrets:
On initiators, CHAP and Mutual Authentication can be enabled and target secrets can be set while logging on to target portals on the storage server. Initiator CHAP secrets can be entered in the MS iSCSI Initiator component in iSCSI Manager, refer to iSCSI Initiator Properties in iSCSI Manager. (On application servers, initiator CHAP secrets should be entered using the instructions for your specific operating system and iSCSI initiator software.)
On targets, CHAP and Mutual Authentication can be enabled and initiator secrets can be set using iSCSI Manager. Refer to Configuring Authentication and Entering a CHAP Secret in iSCSI Manager.
IPsec Encryption Protocol
Internet Protocol Security (IPSec) uses encrypted security services to provide a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks.
To enable security and integrity checks for iSCSI connections a mirrored IPSec filter should be setup to encrypt all TCP traffic between any port on the initiator and port 3260 on the target. This needs to be configured on both the target and initiator.
For information on how to configure IPSec consult the documentation provided with your operating system or network card. Microsoft Windows typically includes a Local Security Console which can be used to define IPSec policies.
CRC/Checksum Error Detection
In SANsymphony software, enhanced error detection can be provided by enabling Cyclic Redundancy Check ( CRC), a form of sophisticated redundancy check. When CRC/Checksum is enabled, the iSCSI driver adds a bit scheme to the iSCSI packet when it is transmitted. The iSCSI driver then verifies the bits in the packet when it is received to ensure data integrity. This error detection method provides a low probability of undetected errors compared to standard error checking performed by TCP/IP. The CRC bits may be added to either Data Digest, Header Digest, or both.
CRC/Checksum error detection can be enabled in iSCSI Manager when you log on to a target, refer to Logging on to Targets using the iSCSI Manager Tool.