Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Asymmetric iSCSI For Online Storage

Published byBrandon Hopkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Secure Asymmetric iSCSI For Online Storage"— Presentation transcript:

1 Secure Asymmetric iSCSI For Online Storage
Sarah A. Summers Here to talk to you about my Masters project – Secure Asymmetric iSCSI for Online Storage 11/29/2018 Summers - SAiSCSI

2 Outline of Presentation
Goals of the Project Overview of SCSI, iSCSI and IPsec Review of Efficient Asymmetric Secure iSCSI Testing of Efficient Asymmetric Secure iSCSI Motivation for Enhancements Proposed Enhancements Results Disaster Recovery Additional Research Lessons Learnt, Future Work, Conclusions I would like first to give you a general outline to this presentation. The items covered will be: Goals of the project Brief overview of SCSI, iSCSI and IPSec as relevant to the project Review of the previous work on Efficient Asymmetric Secure iSCSI My testing of the Efficient Asymmetric Secure iSCSI scheme Motivation for enhancements The proposed enhancements Performance results obtained from testing the enhancements Additional Research that I undertook Then I will finish up with lessons learnt during the project, some suggestions for future work and finally some general conclusions. 11/29/2018 Summers - SAiSCSI

3 Goals Enhance the existing Efficient Asymmetric Secure iSCSI scheme to: Enable the transfer of files of arbitrary size Allow files to be transferred to two target storage devices Develop and implement a user interface to simplify usage of the scheme Consider the use of the scheme for disaster recovery The goals of the project can be split into 3 areas: Enhancement of the existing Efficeient Asymmetric Secure iSCSI scheme to: Enable the transfer of files of arbitrary size Allow files to be transferred to two target storage devices Develop and implement a graphical user interface to simplify usage of the scheme Consider the use of the scheme for disaster recovery 11/29/2018 Summers - SAiSCSI

4 Overview of SCSI, iSCSI and IPsec
11/29/2018 Summers - SAiSCSI

5 SCSI Application Layer Storage Protocol
Standard device interface bus enabling block data I/O Logically addresses blocks Utilizes a client/server (initiator/target) architecture Data transferred in Command Descriptor Blocks Limitations Length of SCSI bus limits distance over which SCSI can operate Limited number of devices can be connected to it Add slide at end of presentation showing CDB 11/29/2018 Summers - SAiSCSI

6 iSCSI End-to-end protocol to enable transportation of storage I/O block data over IP networks Maps SCSI functionality to the TCP/IP protocol SCSI CDBs encapsulated in iSCSI Protocol Data Units Can be implemented in software and hardware Limitations No built in security, relies on IPsec Include slides of PDU’s in extra section at end 11/29/2018 Summers - SAiSCSI

7 IPsec Extension of the IP protocol that provides security to IP and upper layers of the OSI model Encapsulating Security Protocol (ESP) – provides confidentiality and optionally authentication Performs 3 basic steps Header calculation and placement Trailer calculation and placement ESP authentication field calculation and placement Internet Key Exchange (IKE) Transport Mode Possible include diagram or something at end of presentation 11/29/2018 Summers - SAiSCSI

8 sg3_utils sg3_utils package containing low level utilities for devices using the SCSI command set Utilizes the sg interface sg_dd is a variant of the dd command – specialized for block oriented devices that use the SCSI command set sg_dd if=test.txt of=/dev/sda bpt=1 odir=1 skip=0 seek=0 bpt = blocks per transfer odir = direct output skip = the block number in the input file to commence reading seek = the block number in the output file to commence writing 11/29/2018 Summers - SAiSCSI

9 Review of Efficient Asymmetric Secure iSCSI
11/29/2018 Summers - SAiSCSI

10 Efficient Asymmetric Secure iSCSI
Utilizes the sg_dd command to achieve the transfer of files between initiator and target Dual key cryptographic enhancement to IPsec Custom key to encrypt data IKE generated keys to encrypt headers 11/29/2018 Summers - SAiSCSI

11 EASI Packet Modification
The EASI implementation requires that the packets in which the data is transmitted are modified. The implementation requires that a file be an integer multiple of block size. The block size used is 1024 bytes. In addition to the user data being an integer multiple of block size the combination of the TCP and iSCSI headers must also be block size. This is achieved by moving the TCP header and inserting the appropriate amount of padding in the gap created between the TCP and iSCSI headers. 11/29/2018 Summers - SAiSCSI

12 Testing of Efficient Asymmetric Secure iSCSI
11/29/2018 Summers - SAiSCSI

13 VMware Virtual Machine Test Bed
Having established how the Efficient Asymmetric Secure iSCSI scheme worked, it was necessary to test the scheme in order to determine what factors may affect proposed enhancements. A Vmware virtual machine test bed was created. This was achieved by creating images of the physical test bed using UltimateP2V. Attempted to recreate as VMware machines Existing scheme was cloned to VMware Server Additional Target Machine created with additional hard disk for storage 11/29/2018 Summers - SAiSCSI

14 Limitations of the Existing Scheme
User data must be an integer multiple of block size (1024 bytes) Target Storage File Limitations Only one file can be stored at a time Pre-set size of target storage file limits the size of the user data that can be stored sg_dd Utility Limitation Count and block size values must be specified when issuing the sg_dd command Reading data from the target using the cp utility results in the entire target file being retrieved Mounting of a target storage disk is not possible with the existing implementation 11/29/2018 Summers - SAiSCSI

15 Motivations for Enhancements
Bringing existing implementation closer to a complete and usable secure data transfer/storage system Allowing transfer of files of arbitrary size Allow duplicate transfer of files to second target storage device Relative complexity of existing scheme in terms of user interaction 11/29/2018 Summers - SAiSCSI

16 Proposed Enhancements
11/29/2018 Summers - SAiSCSI

17 Secure Asymmetric iSCSI For Online Storage Enhancements
Enhancements to the sg_dd utility to: Transfer of files of arbitrary size Transfer to two targets Graphical User Interface Initiator interface Target interface 11/29/2018 Summers - SAiSCSI

18 Implementation Logic for Arbitrary File Transfer
Set block_size = 1024 If input_file != target_storage_device Determine size of file in bytes If ((size % 1024) != 0) { while((size_file_in_bytes % 1024) != 0) { size++; } } count = size/1024 create CDB using count value Changing the default ‘bs’ value in the sg_dd code to 1024 Adding a function to determine the size of the file in bytes. If the returned value is not block size (1024 bytes) or an integer multiple of block size, the count value must be set to the next integer multiple of the number of blocks to be written. This value is then used for constructing the command descriptor blocks, reading the data from the initiator, and writing to the target. 11/29/2018 Summers - SAiSCSI

19 Implementation Logic for File Transfer to Two Targets
Set block_size = 1024 If (second output file == TRUE) { Determine device type Determine number of blocks in second target create command descriptor block for second target } else set second output file to be /dev/null Add another command line argument to allow the user to specify a second target device. Process the command line options to determine whether one or two target devices are specified. If a second target is specified, determine the type of device it is. Determine the number of blocks and the block size of the second target. Create a second command descriptor block for the second target. 11/29/2018 Summers - SAiSCSI

20 File Transfer Performance Results
11/29/2018 Summers - SAiSCSI

21 Comparison Data for Transfer of Arbitrary Sized Files
11/29/2018 Summers - SAiSCSI

22 Comparison Data for Transfer to Two Targets
11/29/2018 Summers - SAiSCSI

23 User Interface 11/29/2018 Summers - SAiSCSI

24 User Interface Developed and implemented using Python and Tkinter
Comprised of two components Initiator Interface Target Interface 11/29/2018 Summers - SAiSCSI

25 User Interface Screenshots
11/29/2018 Summers - SAiSCSI

26 Initiator Interface Functionality
Generate IPsec keys Generate SAD and SPD entries Start initiator software Login/Logout to/from the target(s) Transfer user data to target storage Retrieve user data from target storage 11/29/2018 Summers - SAiSCSI

27 Target Interface Functionality
Create additional target storage file(s) Configure ietd.conf file for additional target(s) Generate SAD and SPD entries Start/stop iscsitarget software 11/29/2018 Summers - SAiSCSI

28 Secure Asymmetric iSCSI for Disaster Recovery
HIPPA and SOX require security, privacy and accountability of data Standard online storage techniques may not be sufficient Secure Asymmetric iSCSI for online storage may be the solution Secure storage of Custom key Initiator and custom key can be duplicated Store key with trusted third party HIPPA and SOX require security, privacy and accountability of stored data. There is also the requirement to disclose data with a specified time period. The advent of online storage goes some way to addressing these issues. However, standard online storage techniques may not be sufficient. The Secure Asymmetric iSCSI for Online Storage scheme offers a potential solution. However, a number of issues remain to be resolved. In the current implementation the custom key is stored on the initiator. If the initiator is destroyed there is no way to decrypt the data. One solution is to duplicate the initiator and thus the custom key. However, doing so effectively dilutes the security provided by the key. A second alternative is to store the key with a trusted third party. However, in the event of a disaster the time taken to recover the key from the third party may be unacceptable in terms of the delay in restoring availability of data. Obviously, this is an area that needs further consideration. 11/29/2018 Summers - SAiSCSI

29 Additional Research During testing of the Efficient Asymmetric iSCSI scheme, it was discovered that the scheme could not be used with a mounted target storage device. Since the mounting of a target storage device is highly desirable, it was decided to examine network protocol analyzer logs for amongst other things the mount command. Since the Linux kernel, open-iscsi and iscsitarget software has undergone significant changes since the implementation of EASI, it was decided to create an updated test bed with more recent versions of the kernel and software 11/29/2018 Summers - SAiSCSI

30 Mounting a Target Storage Device
Network Protocol Analyzer (Wireshark) Results Discovery – only iSCSI/SCSI commands issued Login – iSCSI/SCSI Read and PDU but PUSH flag not set Mounting results in the issuing of iSCSI/SCSI Writes and Reads iSCSI/SCSI Writes/Reads interpreted by EASI as file transfers strace of mount command kernel reads file system information which results in invocation of iSCSI/SCSI commands It was know that both discovery and login are successful with the existing scheme therefore network protocol analyzer logs were taken during these processes for comparison purposes against the mount log. During discovery only iSCSI/SCSI commands were found to be issued. In comparison during the login process an iSCSI/SCSI Read and its associated Data-in PDU were issued, examination of these packets revealed that the PSH flag was not set and therefore, the packet would not be processed by the EASI scheme. Examination of the mount log revealed that a number of iSCSI/SCSI Reads and writes and associated Data-in and Data-out PDUs were issued. Closer examination of the packets suggested that there packets would be processed by EASI. In order to understand why the Reads and Writes occurred the mount command was examined further and an strace log was obtained. It was found that mount is a file system operation handled by the Virtual File System. During the mount the kernel reads file system information and sets up file descriptors. As a result, read and write commands are issued which may result in iSCSI/SCSI Reads and Writes being issued. Th 11/29/2018 Summers - SAiSCSI

31 Using cp to transfer to a Mounted Storage Device
Writing to Target Various iSCSI/SCSI Writes and Data-out PDUs In addition to user payload, file and directory structure of storage device written Reading from Target Various iSCSI/SCSI Reads and Writes Plain vanilla TCP packet after first iSCSI/SCSI Read contains names of directories and files currently on target storage Unidentified data in some Data-out PDUs 11/29/2018 Summers - SAiSCSI

32 Lessons Learnt/Observations
sg_dd uses defaults of stdin for input file and stdout for output file. If no output is required use /dev/null Linux kernel, open-iscsi and iscsitarget under constant development. Therefore changes to these codes need to be incorporated in new releases. Wireshark and Ethereal appear to interpret/display identical log files in a different manner. Retrieving data from target using sg_dd requires count value to be specified. sg_dd code uses defaults of standard input stream (stdin) for input file and standard output stream (stdout) for output file. If no output file is required /dev/null is used. This information was used when reading back from the target. 11/29/2018 Summers - SAiSCSI

33 Future Directions Modify the EASI scheme to use the most current Linux kernel version, open-iscsi and iscsitarget code. Re-implement the EASI scheme in a way that mounted target storage disk can be used. Improve the simplification of the setup and use of the implementation through the development of an API. Enhance the implementation to utilize a dynamic method, such as ‘racoon’, for establishing security associations between the initiator and target 11/29/2018 Summers - SAiSCSI

34 Conclusions Enhancements to the sg_dd utility has enabled:
Simulated transfer of files of arbitrary size Transfer of files to two targets Graphical user interface simplifies user interaction: Keys for the encryption of the headers has been simplified Interaction with the initiator and target software has been simplified Writing and reading user data to /from the target has been simplified Limitations Arbitrary file transfer still requires user to specify a count value when reading data from target storage True arbitrary file transfer is not achieved 11/29/2018 Summers - SAiSCSI

35 ADDITIONAL SLIDES 11/29/2018 Summers - SAiSCSI

36 SCSI Command Descriptor Block
Operation Code – the operation being requested e.g., read or write and length of CDB Logical Block Address – Identifies the location of the data on the physical medium Transfer Length – The amount of data to be transferred (number of blocks) Marked as if required since some commands transfer no data Parameter List Length – Identifies the number of bytes that an application client wishes to transfer. If the value is zero no data is transferred. Allocation length – The maximum number of bytes an application client wishes to transfer 11/29/2018 Summers - SAiSCSI

37 Phases of SCSI I/O Operation
3 main phases: Command Initiator sends command and parameters to the target in a CDB Data Data is transferred in accordance with command issued in CDB Status Provides confirmation that command executed is received Bare minimum command and status no data is transferred 11/29/2018 Summers - SAiSCSI

38 SCSI Architecture in Linux Kernel
Upper Layer – Main entry point Mid Layer – Unifying layer Lower Layer - Drivers 11/29/2018 Summers - SAiSCSI

39 General Structure of iSCSI PDU
11/29/2018 Summers - SAiSCSI

40 iSCSI PDU Basic Header Segment
11/29/2018 Summers - SAiSCSI

41 iSCSI Protocol Layering Model
11/29/2018 Summers - SAiSCSI

42 Data Encapsulation 11/29/2018 Summers - SAiSCSI

43 Open-iSCSI Open source software implementation of iSCSI initiator
Kernel Portion iSCSI data path User Portion Control path of iSCSI Management facilities Release used in EASI: open-iscsi Current Release: open-iscsi 11/29/2018 Summers - SAiSCSI

44 iscsitarget Open source software implementation of iSCSI target
Kernel Portion User Portion Release used in EASI: iscsitarget Current Release: iscsitarget 11/29/2018 Summers - SAiSCSI

45 Packet for IPsec Transport Mode
11/29/2018 Summers - SAiSCSI

46 Write Processing on the Target
Identify iSCSI traffic Identify packets containing user data Decrypt packets not containing user data Process packets containing user data 11/29/2018 Summers - SAiSCSI

47 Write Processing on the Target
Identify iSCSI traffic Identify packets containing user data Decrypt packets not containing user data Process packets containing user data 11/29/2018 Summers - SAiSCSI

48 Read Processing on the Target
Identify iSCSI traffic – source port 3260 Determine if iSCSI packet contains user data Encrypt packets not containing user data Encrypt packets containing user data 11/29/2018 Summers - SAiSCSI

49 Read Processing on the Initiator
Identify iSCSI traffic Determine if packet contains user data Decrypt packets containing user data Decrypt packets not containing user data 11/29/2018 Summers - SAiSCSI

50 Comparison of Standard IPsec and EASI at Packet Level
11/29/2018 Summers - SAiSCSI

51 Initiator GUI 11/29/2018 Summers - SAiSCSI

52 Target GUI 11/29/2018 Summers - SAiSCSI

Download ppt "Secure Asymmetric iSCSI For Online Storage"

Similar presentations

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Modifying the SCSI / Fibre Channel Block Size Presented by Keith Bonneau, John Chrzanowski and Craig O’Brien Advised by Robert Kinicki and Mark Claypool.

Modifying the SCSI / Fibre Channel Block Size Presented by Keith Bonneau, John Chrzanowski and Craig O’Brien Advised by Robert Kinicki and Mark Claypool.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Securing iSCSI for Data Backup and Disaster Recovery JAMES HUGHES CS526 5/03/05 James W. Hughes 1.

Securing iSCSI for Data Backup and Disaster Recovery JAMES HUGHES CS526 5/03/05 James W. Hughes 1.
Operating Systems.

Operating Systems.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.

Network Layer (Part IV). Overview A router is a type of internetworking device that passes data packets between networks based on Layer 3 addresses. A.
Module 10 Configuring and Managing Storage Technologies.

Module 10 Configuring and Managing Storage Technologies.
12/12/2008 Summers - SAiSCSI 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers.

12/12/2008 Summers - SAiSCSI 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers.
Chapter 13 – Network Security

Chapter 13 – Network Security
Protocols and the TCP/IP Suite

Protocols and the TCP/IP Suite
4/13/2007 Master's Project Proposal 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers Project Proposal Master of Science in Computer Science.

4/13/2007 Master's Project Proposal 1 Secure Asymmetric iSCSI For Online Storage Sarah A. Summers Project Proposal Master of Science in Computer Science.
Design and Implementation of a Linux SCSI Target for Storage Area Networks Ashish A. PalekarAnshul Chaddha, Trebia Networks Narendran Ganapathy, 33 Nagog.

Design and Implementation of a Linux SCSI Target for Storage Area Networks Ashish A. PalekarAnshul Chaddha, Trebia Networks Narendran Ganapathy, 33 Nagog.
Slide 1 DESIGN, IMPLEMENTATION, AND PERFORMANCE ANALYSIS OF THE ISCSI PROTOCOL FOR SCSI OVER TCP/IP By Anshul Chadda (Trebia Networks)-Speaker Ashish Palekar.

Slide 1 DESIGN, IMPLEMENTATION, AND PERFORMANCE ANALYSIS OF THE ISCSI PROTOCOL FOR SCSI OVER TCP/IP By Anshul Chadda (Trebia Networks)-Speaker Ashish Palekar.
Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.

Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.

Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Similar presentations

Ads by Google