Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing iSCSI for Data Backup and Disaster Recovery JAMES HUGHES CS526 5/03/05 James W. Hughes 1.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing iSCSI for Data Backup and Disaster Recovery JAMES HUGHES CS526 5/03/05 James W. Hughes 1."— Presentation transcript:

1 Securing iSCSI for Data Backup and Disaster Recovery JAMES HUGHES CS526 5/03/05 James W. Hughes 1

2 Overview Introduction / Motivation Brief Overview of iSCSI Strategies for Securing iSCSI Conclusion References CS526 5/03/05 James W. Hughes 2

3 Introduction / Motivation Learn About A New Technologies Attempt To Pass It On Brief Backup and Disaster Recovery Scenario Scenario CS526 5/03/05 James W. Hughes 3

4 Brief Overview of iSCSI iSCSI Protocol Protocol Data Units Encapsulation of iSCSI PDU CS526 5/03/05 James W. Hughes 4

5 Strategies for Securing iSCSI Access Control Lists (ACLs) Strong Authentication Schemes Secure Management Interfaces Encrypt Exposed Network Traffic Encrypt Data at Rest CS526 5/03/05 James W. Hughes 8

6 Conclusion iSCSI is an Alternative to Fiber Channel Overview of iSCSI Protocol Strategies to Securing iSCSI CS526 5/03/05 James W. Hughes 14

7 Questions CS526 5/03/05 James W. Hughes 15

8 References Hewlet Packard, (2005). iSCSI Overview. –Power Point Presentation Foskett, S., (07 Apr 2005), Five ways to secure iSCSI, http://searchstorage.techtarget.com/tip/1,289483,sid5_gc i1076436,00.html http://searchstorage.techtarget.com/tip/1,289483,sid5_gc i1076436,00.html Harwood, M., (27 Jan 2004), Storage Basics: Securing iSCSI using IPSec, http://www.enterprisestorageforum.com/ipstorage/feature s/article.php/11567_3304621_1 http://www.enterprisestorageforum.com/ipstorage/feature s/article.php/11567_3304621_1 Network Sorcery, (n.d.), CHAP, Challenge Handshake Authentication Protocol, http://www.networksorcery.com/enp/protocol/CHAP.htm http://www.networksorcery.com/enp/protocol/CHAP.htm CS526 5/03/05 James W. Hughes 16

9 Access Control Lists (ACLs) Implementations: –IP Address –Initiator Name –MAC Address Provides of a means of dividing storage resources among clients. Not a strong security method. Back to Strategies for Securing iSCSI CS526 5/03/05 James W. Hughes 9

10 Strong Authentication Schemes Challenge Handshake Authentication Protocol (CHAP) –Two way Authentication – Protects against Playback Attacks Remote Authentication Dial-In User Service (RADIUS) Drawback: Passwords must be stored on both sides RADIUS service can be difficult to configure Back to Strategies for Securing iSCSI CS526 5/03/05 James W. Hughes 10

11 Secure Management Interfaces Lesson Learned From Fiber Channel –Limit Usage –Enforce Strong Passwords –Verify Vendor Accounts Removed or Disabled Back to Strategies for Securing iSCSI CS526 5/03/05 James W. Hughes 11

12 Encrypt Exposed Network Traffic IP security (IPsec) Authentication Headers (AH) Authentication: Kerberos v5, Public Key Certificates (PKIs), and Preshared keys Integrity: Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA1) Encapsulating Security Payloads (ESP) Data Encryption Standard (40-bit) Data Encryption Standard (56-bit) Triple DES (3DES) (168-bit) Back to Strategies for Securing iSCSI CS526 5/03/05 James W. Hughes 12

13 Encrypt Data at Rest Full Disk Encryption Security Appliances Backup Tape Encryption Back to Strategies for Securing iSCSI CS526 5/03/05 James W. Hughes 13

14 host SCSI command set Parallel Bus iSCSI TCP IP Ethernet FCP Fibre Channel iSCSI Protocol Back to iSCSI Overview A transport protocol for SCSI that operates over TCP/IP CS526 5/03/05 James W. Hughes 5

15 Protocol Data Units Consist of SCSI commands, data, and responses for TCP handling iSCSI Data iSCSI Header Protocol Data Unit (PDU) Back to iSCSI Overview CS526 5/03/05 James W. Hughes 6

16 Encapsulation of iSCSI PDU dest MAC src MAC Ether type data FCS (CRC) 6 bytes 2 bytes4 bytes46 to 1500 bytes IP TCP iSCSI PDU Back to iSCSI Overview CS526 5/03/05 James W. Hughes 7

17 Scenario CS526 5/03/05 James W. Hughes 17 Back to iSCSI Overview

Download ppt "Securing iSCSI for Data Backup and Disaster Recovery JAMES HUGHES CS526 5/03/05 James W. Hughes 1."

Similar presentations

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.

Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Similar presentations

Ads by Google