Month: September 2018
 
          Block Storage Security 101: An Introduction to iSCSI SAN Deployments and Security
“Once my data is in your storage environment, how do I know it’s safe?”
This is one of the most common questions we hear from potential customers, and it’s not surprising. That’s why we wrote this blog post: to provide background on security in a traditional Fibre Channel environment as well as how security is practically handled in the modern Internet Small Computer Systems Interface (iSCSI) framework, which communicates over existing networks, rather than requiring its own infrastructure like traditional Fibre Channel.
And while there are numerous ways that storage providers might keep your data safe and secure, there is one key point to make from the start: Using a wide variety of available tools in combination is the best way to keep your storage secure.
(Note that the information in this blog post pertains to both dedicated and multitenant storage environments.)
The Old School: Fibre Channel
Fibre Channel storage has typically been used to present block storage to compute hosts. This is separate from the production networking and uses a separate medium, electronics and protocol.
Fibre Channel security usually entails configuring LUN zoning or LUN masking (a LUN being the logical unit of disk or a partition off a larger physical array). Fibre Channel adapters have a unique address burned in, which is known as a World Wide Name (WWN).
In LUN zoning, the Fibre Channel switching fabric is configured to prevent hosts from communicating with one another, meaning that WWNs can only communicate with the WWNs used for the SAN arrays. In effect, this acts as a firewall that prevents the hosts from communicating with anything but the storage array.
LUN masking adds more security by further limiting a WWN’s ability to communicate, restricting its communication to a specific LUN. Thus, a group of VMWare hosts would have the WWNs from their FC adapters limited to only communicate with a specific LUN. This further prevents the hosts from being able to communicate with anything except their own assigned LUN.
Ensuring Data Security in iSCSI Environments
iSCSI Addressing
In iSCSI, each host server is an iSCSI Initiator and the SAN is an iSCSI Target. Similar to the WWN system in Fibre Channel, iSCSI uses an iSCSI Qualified Name (IQN). Unlike WWNs, the IQN is made up of four fields that can be configured by the administrator. Those fields are:
Field 1: “IQN”
Field 2: Date, in YYYY-MM format, e.g., “2018-07”
Field 3: a reverse of the DNS domain, e.g., “com.eugene”
Field 4: an optional target name, e.g., “storage.vmware.datastore1.xyz”
All together this would look like “Iqn.2018-07.com.eugene:storage.vmware.datastore1”
iSCSI Network
A dedicated VLAN is used for iSCSI communications between trusted hosts and targets. Having an isolated network is a primary security step to protect hosts, targets and data.
iSCSI Authentication
An iSCSI initiator first needs to authenticate. Typically, Challenge-Handshake Authentication Protocol (CHAP) is used. The two endpoints exchange a hash from the CHAP ID, which consists of a challenge and a secret password.
iSCSI Authorization
Once the host iSCSI initiator has authenticated using CHAP, then the IQN is used for authorization. Think of it this way: Once a host’s identity is authenticated, it needs to ask for access to a specific iSCSI resource. Like Fibre Channel LUN Masking, a SAN array will limit a target LUN to only specific IQNs.
The typical security measures for iSCSI SAN deployments
A CHAP-based handshake between iSCSI initiator (client) and iSCSI Target (storage system) might be sufficient for some implementations. Taking it one step further, modern storage systems also offer domain segmentation, where a restricted group of iSCSI clients (IQNs) are associated with a specific set of IPs that a client inquiry may come from. Then, based on successful CHAP authentication, those IQNs are allowed to discover and communicate with the group of LUNs on the target system (e.g., Host A with IQN Y and coming from the IP 10.x.x.x and with the valid CHAP authentication passed).
It’s important to note here that iSCSI is a clear text protocol. In order to ensure the secure transmission of data between the client and its target storage, all of the above security measures are required and equally important to be in place.
In certain scenarios, depending on the networking topology in place, additional security can be introduced at the networking layer, where only specific hosts (with specific MAC addresses) that are associated with specific networking adapters may initiate an ISCSI connection with a pre-defined source and target IP space within storage network isolated VLAN. (These techniques are similar to SpoofGuard.)
Encryption
Typically, depending on the storage system implementation model and its type, at-rest data encryption is realized through either hardware or software encryption methods.
Hardware-based encryption is associated with self-encrypting drives and requires a special type of hard drive to be used in the storage system. If for any reason the data is attempted to be accessed on such a hard drive outside of its storage platform (e.g., removed from the storage unit shelf), it will be in an encrypted state.
Software-based encryption, as its name suggests, uses software-driven encryption methods, while leveraging the offload of the actual encryption instructions to the underlaying hardware (AES-NI and similar CPU technology). The minimum encryption level recommended for software-based encryption is AES-256. A major benefit of software-based encryption is a lower cost for a solution that delivers the same level of encryption seen with hardware-based solutions.
Conclusion
With the right tools, vendors and implementations, iSCSI is as secure as any other storage system. And while there are many available security tools, the combination of all these tools will put you in the best position long-term to secure your storage environment.
When it comes to securing your block storage, there are no half-measures, and a trusted service provider like HorizonIQ will be able to provide valuable insight and tools to make sure your data is fully secured from start to finish.
Explore HorizonIQ's 
Managed Private Cloud
              LEARN MORE 
            Stay Connected
 
          INAP’s network may be global, but we take pride in knowing that no matter where you are, the performance and service you get feels local.
That’s something that INAP Japan customer TeraRecon, Inc. learned when enlisting our colocation and Performance IP services. The world’s leading independent medical advanced visualization provider, TeraRecon provides detailed 3-D image processing support to the medical industry around the world.
The background: Preparing for a big server move
In June 2017, the Japanese branch of TeraRecon was merged under the American headquarters’ management. This meant a server room relocation, but more importantly, an opportunity to not only unify the systems—which had been previously been dispersed across several workstations—but also create a new development environment with more servers.
One month before the scheduled January move, TeraRecon discovered that their new office’s physical infrastructure and cooling systems would not be able to support a server room. Without any IT infrastructure specialists in its Japanese organization, TeraRecon sought out the help of a data center service provider. Among four options considered, INAP was the only one who was able to deliver both equipment and the network connectivity by the January deadline.
Making the move: The INAP support difference—in two languages
Our support team walked TeraRecon through the process in both English and Japanese, liaising between its U.S. and Japanese teams. “INAP Japan handled meetings with our U.S. engineering team and our systems manager, which let us proceed smoothly with our project in the limited timeframe,” says Mr. Uchiumi, Operations and Marketing Manager at TeraRecon. “INAP Japan’s network engineers’ support … repeatedly created easy-to-understand diagrams for us and explained everything to our U.S. engineers, who were uncertain about Japanese standards.”
INAP also guided the company through the ins and outs of data centers—literally and figuratively—providing a tour to showcase our power redundancy, security and temperature control systems. “By actually observing these features,” Mr. Uchiumi says, “we concluded that this was a Data Center we could trust to operate with sensitive medical imaging data.”
After the move: The benefits of working with an INAP data center
“Since moving into the data center, we haven’t had to worry about anything,” says Mr. Uchiumi. And without IT staff in its Japanese branch, TeraRecon trusts INAP’s expert support team to manage all the day-to-day maintenance.
For TeraRecon’s users, efficient, reliable network connectivity is a must. With our Performance IP service, built into the entire INAP network, TeraRecon doesn’t have to worry about latency or performance either. “We had previously heard about INAP’s ‘Route Optimizer,’ but we are still amazed at its efficiency in the actual production environment,” Mr. Uchiumi says. “We don’t feel any physical distance from our servers even though they are outside our office.”
And for the company’s remote medical image reading service, INAP’s Performance IP service will allow hospitals to provide drastically reduced turnaround times on diagnoses. “Without a high-quality network, the diagnosis would be delayed,” says Mr. Uchiumi. “However, INAP Japan’s ultralow latency network service is the best solution to remedy that issue.”
This post originated from INAP Japan: https://www.internap.co.jp/english/terarecon.html
 
             
             
             
           
            