1 / 29

iSCSI

iSCSI. A repeat of Ben’s presentation. What Is iscsi ?. Internet Small Computer System Interface A protocol that carries SCSI commands over IP networks Developed by IBM and Cisco in 1998 A lower-cost alternative to Fibre Channel in SANs. Storage area networks .

angelo
Download Presentation

iSCSI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. iSCSI A repeat of Ben’s presentation

  2. What Is iscsi? • Internet Small Computer System Interface • A protocol that carries SCSI commands over IP networks • Developed by IBM and Cisco in 1998 • A lower-cost alternative to Fibre Channel in SANs

  3. Storage area networks • Traditionally, servers would have their own directly attached storage and backup. This only works for small networks in a single location. • A Storage Area Network introduces centralized storage and backup, which works better in large networks that are geographically dispersed. • The key to making a SAN work is the network. Because all the servers are dependent on the centralized storage, the network has to be fast and reliable.

  4. Fibre Channel • Classic SANs use Fibre Channel to connect the servers to the centralized storage. • The advantage of Fibre Channel was the increased performance over TCP – 2 Gbpsvs 100 Mbps at the time of introduction. • The disadvantage of Fibre Channel is the cost – it requires expensive specialized hardware and cabling.

  5. Ethernet caught up

  6. Iscsivsfibre channel • iSCSI has a lower implementation cost because it can be run over regular TCP networks. Fibre Channel requires expensive specialized hardware. • Fibre Channel used to be favored for SANs because of the greater performance, but Ethernet is capable of faster speeds now. • iSCSI runs on the same network as the rest of the business, while Fibre Channel runs on a separate network. This increases the reliability and speed of Fibre Channel somewhat.

  7. How iscsi works 1 = Initiator 2 = Encapsulation 3 = Target

  8. Iscsi names • Both targets and initiators require names for the purpose of identification. Additionally, names allow for iSCSI storage to be managed regardless of address. • iSCSI names must be unique, and because iSCSI can be routed the name format is made to be worldwide unique. • Names are associated with iSCSInodes. • iSCSI names are permanent and they are not dependent on address.

  9. Iscsi name examples Type: IQN or EUI Date: This date must be a date during which the naming authority owned the domain name used in this format Auth: The reversed domain name of the person or organization creating this iSCSI name Optional colon-prefixed string with the character set and length boundaries that the creator deems appropriate.

  10. iScsipdu • iSCSI defines its own packets that are referred to as iSCSI Protocol Data Units (PDUs). • iSCSI PDUs consist of a header and possibly data, where the data length is specified in the header. • An iSCSI PDU is sent as the content of one or more TCP packets.

  11. Iscsi session types • iSCSI defines two types of sessions: • Normal operational sessions • Discovery-sessions – These are only used for the discovery of iSCSI targets • The session type is defined during the login phase.

  12. Normal operational sessions • Normal operational sessions have two phases: • The login phase • The full feature phase • The login phase provides basic security to the iSCSI protocol. It has to be successfully completed before the session can go into the full feature phase. • The full feature phase is where data transfer occurs. • A session can consist of multiple TCP connections.

  13. Iscsi simple name service • iSNS is software that runs on an operating system or iSCSI device • Both initiators and targets register with the iSNS server • Responsible for: • Informing iSCSI clients about which targets are available on the network • Grouping iSCSI clients to their correct domain set • Informing clients about what security aspects – if any – they must use to associate to targets

  14. Iscsi simple name service

  15. Iscsi error detection • Traditional SCSI operations are assumed to be virtually error-free, because direct-attached SCSI devices share a dedicated parallel bus connection, isolated from network disruptions. • iSCSIoperates over the network, possibly including the Internet. iSCSI needs to be able to deal with disruptions caused by this inherently unreliable network infrastructure. • Both initiators and targets are able to buffer commands until they are acknowledge. For instance, if the initiator wishes to write to the target it keeps the command data in its buffer until it receives an R2T (ready to transmit) message from the target.

  16. Error correction levels • Detection and recovery within an iSCSI task – for instance retransmission of a missing or corrupt PDU • TCP connection that carries a task may experience errors. Recovery is attempted through a command restart. • iSCSI session itself may fail. This means aborting all existing TCP connections for that session, aborting all queued tasks and outstanding commands, and restarting the session through the login phase. This only happens if all other methods of error correction have failed.

  17. iScsi security issues • The compromise of a single iSCSI device equates to the compromise of several (10 to 100) operating systems at once. • Who cares about admin passwords and root access when the entire data store can be compromised?

  18. Trusting internal parties • Vendors have this to say about iSCSI security: • “An iSCSI SAN uses Gigabit Ethernet, a switched network with a point-to-point architecture that makes it nearly impossible to snoop or hijack packet unless you have physical access to the network or switches” • This implies that all internal parties should be trusted, including employees, vendors, business partners, guests, contractors, etc.

  19. Top iscsi security issues • iSCSI names are trusted • iSCSI authorization is the only required security mechanism, and it relies on iSCSI names. • iSCSI authentication is disabled by default • Even when iSCSI authentication is turned on, it relies on CHAP – a fairly weak authentication protocol • iSNS servers are not protected • iSCSI is a clear-text protocol, unless IPSec encryption is used. This is rarely done.

  20. Authorization attack • iSCSI names go over the network in clear-text • They are easy to sniff, guess, or enumerate • The attacker spoofs his or her iSCSI name and establishes a connection with an iSCSI target • Since an iSCSI session often consists of multiple TCP connections, nothing suspicious is detected and the attacker instantly gets access to possibly confidential data

  21. iSCSI Simple Name Server issues • A newly registered iSCSI name will be placed in the default domain set. • Any member of the domain set will be able to enumerate or access the other nodes in the same domain set • These other nodes can now be used for iQN spoofing attacks. • Moving iSCSI nodes out of the default domain set and into custom domain sets is an important security mechanism, but many administrators fail to do so.

  22. Isns man-in-the-middle • Attacker can identify iSNS server by scanning for open port 3205 – iSNS port. • Using ARP poisoning, a fake iSNS server can be created to replace the real one. • Attacker can now: • See all registrations (both targets and clients) • Modify or change domain sets • Downgrade domain sets that require security (removing authentication and encryption)

  23. Isns man-in-the-middle

  24. iSNS domain hopping • An iSNS server relies on iSCSI names for node identification • If an attacker simply spoofs his or her iSCSI name to that of the target, the iSNS server will automatically update and overwrite the legitimate node’s information with that of the attacker. • At minimum: DOS • At maximum: Allows unauthorized hosts to access targets in restricted domains.

  25. Iscsi authentication attack • Again, authentication is an optional implementation. When enabled, it uses CHAP. • Vulnerable to a brute-force attack • Tools are available that automate this process

  26. Iscsi authentication attack

  27. Iscsi message reflection attack • Attacker requests authentication to an iSCSI target • Receives CHAP ID and Challenge • Attacker opens a separate connection to the target and forces it to authenticate • RFC states that any iSCSI target must respond to authentication requests by default • Attacker receives the correct authentication hash from the target, and can use it in the first connection to authenticate to the target

  28. Iscsi message reflection attack

  29. Iscsi security recommendations • Ensure proper configuration of the iSCSI devices and network • Enable mutual authentication, and don’t rely only on CHAP • Create multiple discovery domains – only use the default domain set for random registrations • Require iSNSIPSec • Enable iSCSI IPsec.

More Related