Securing i SCSI for Data Backup and Disaster
Securing i. SCSI for Data Backup and Disaster Recovery JAMES HUGHES CS 526 5/03/05 James W. Hughes 1
Overview Introduction / Motivation Brief Overview of i. SCSI Strategies for Securing i. SCSI Conclusion References CS 526 5/03/05 James W. Hughes 2
Introduction / Motivation Learn About A New Technologies Attempt To Pass It On Brief Backup and Disaster Recovery Scenario CS 526 5/03/05 James W. Hughes 3
Brief Overview of i. SCSI • i. SCSI Protocol • Protocol Data Units • Encapsulation of i. SCSI PDU CS 526 5/03/05 James W. Hughes 4
Strategies for Securing i. SCSI • • • Access Control Lists (ACLs) Strong Authentication Schemes Secure Management Interfaces Encrypt Exposed Network Traffic Encrypt Data at Rest CS 526 5/03/05 James W. Hughes 8
Conclusion • i. SCSI is an Alternative to Fiber Channel • Overview of i. SCSI Protocol • Strategies to Securing i. SCSI CS 526 5/03/05 James W. Hughes 14
Questions CS 526 5/03/05 James W. Hughes 15
References • Hewlet Packard, (2005). i. SCSI Overview. – Power Point Presentation • Foskett, S. , (07 Apr 2005), Five ways to secure i. SCSI, http: //searchstorage. techtarget. com/tip/1, 289483, sid 5_gc i 1076436, 00. html • Harwood, M. , (27 Jan 2004), Storage Basics: Securing i. SCSI using IPSec, http: //www. enterprisestorageforum. com/ipstorage/feature s/article. php/11567_3304621_1 • Network Sorcery, (n. d. ), CHAP, Challenge Handshake Authentication Protocol, http: //www. networksorcery. com/enp/protocol/CHAP. htm CS 526 5/03/05 James W. Hughes 16
Access Control Lists (ACLs) • Implementations: – IP Address – Initiator Name – MAC Address • Provides of a means of dividing storage resources among clients. • Not a strong security method. Back to Strategies for Securing i. SCSI CS 526 5/03/05 James W. Hughes 9
Strong Authentication Schemes • Challenge Handshake Authentication Protocol (CHAP) – Two way Authentication – Protects against Playback Attacks • Remote Authentication Dial-In User Service (RADIUS) • Drawback: Passwords must be stored on both sides • RADIUS service can be difficult to configure Back to Strategies for Securing i. SCSI CS 526 5/03/05 James W. Hughes 10
Secure Management Interfaces • Lesson Learned From Fiber Channel – Limit Usage – Enforce Strong Passwords – Verify Vendor Accounts Removed or Disabled Back to Strategies for Securing i. SCSI CS 526 5/03/05 James W. Hughes 11
Encrypt Exposed Network Traffic • IP security (IPsec) Authentication Headers (AH) Authentication: Kerberos v 5, Public Key Certificates (PKIs), and Preshared keys Integrity: Message Digest 5 (MD 5) and Secure Hash Algorithm 1 (SHA 1) Encapsulating Security Payloads (ESP) Data Encryption Standard (40 -bit) Data Encryption Standard (56 -bit) Triple DES (3 DES) (168 -bit) Back to Strategies for Securing i. SCSI CS 526 5/03/05 James W. Hughes 12
Encrypt Data at Rest • Full Disk Encryption • Security Appliances • Backup Tape Encryption Back to Strategies for Securing i. SCSI CS 526 5/03/05 James W. Hughes 13
i. SCSI Protocol • A transport protocol for SCSI that operates over TCP/IP host SCSI command set i. SCSI FCP TCP Parallel Bus IP Fibre Channel Back to i. SCSI Overview Ethernet CS 526 5/03/05 James W. Hughes 5
Protocol Data Units • Consist of SCSI commands, data, and responses for TCP handling Protocol Data Unit (PDU) i. SCSI Header Back to i. SCSI Overview i. SCSI Data CS 526 5/03/05 James W. Hughes 6
Encapsulation of i. SCSI PDU dest MAC src MAC Ether type 6 bytes 2 bytes Back to i. SCSI Overview data IP TCP i. SCSI PDU 46 to 1500 bytes FCS (CRC) 4 bytes CS 526 5/03/05 James W. Hughes 7
Scenario Back to i. SCSI Overview CS 526 5/03/05 James W. Hughes 17
- Slides: 17