Advanced iscsi Management April, 2008

Similar documents
STORAGE CONSOLIDATION WITH IP STORAGE. David Dale, NetApp

STORAGE CONSOLIDATION WITH IP STORAGE. David Dale, NetApp

3.1. Storage. Direct Attached Storage (DAS)

iscsi Security Overview

Storage Virtualization II Effective Use of Virtualization - focusing on block virtualization -

IP Storage Protocols: iscsi. John L. Hufferd, Sr. Exec Dir of Technology, Brocade, Inc Ahmad Zamer Storage Technology Initiatives Manager, Intel

Cisco Network Admission Control (NAC) Solution

Configuring iscsi in a VMware ESX Server 3 Environment B E S T P R A C T I C E S

COPYRIGHTED MATERIAL. Windows Server 2008 Storage Services. Chapter. in this chapter:

Storage Virtualization II. - focusing on block virtualization -

Fibre Channel vs. iscsi. January 31, 2018

A Crash Course In Wide Area Data Replication. Jacob Farmer, CTO, Cambridge Computer

EDUCATION IP Storage Protocols: iscsi

Traditional SAN environments allow block

istorage Server and IP SEC

vsphere Networking Update 1 ESXi 5.1 vcenter Server 5.1 vsphere 5.1 EN

USING ISCSI AND VERITAS BACKUP EXEC 9.0 FOR WINDOWS SERVERS BENEFITS AND TEST CONFIGURATION

iscsi Target Usage Guide December 15, 2017

BIG-IP TMOS : Implementations. Version

Security+ SY0-501 Study Guide Table of Contents

iscsi Protocols iscsi, Naming & Discovery, Boot, MIBs John Hufferd, Sr. Technical Staff IBM SSG

Server and Storage Consolidation with iscsi Arrays. David Dale, NetApp Suzanne Morgan, Microsoft

Fabric Security (Securing the SAN Infrastructure) Daniel Cohen Solutioneer Brocade Communications Systems, Inc

Symbols INDEX > 12-14

S S SNIA Storage Networking Foundations

SNIA Discussion on iscsi, FCIP, and IFCP Page 1 of 7. IP storage: A review of iscsi, FCIP, ifcp

Introduction to iscsi

Top-Down Network Design

iscsi Technology: A Convergence of Networking and Storage

Networking interview questions

Design and Implementations of FCoE for the DataCenter. Mike Frase, Cisco Systems

Configuring and Managing Virtual Storage

Network and storage settings of ES NAS high-availability network storage services

Networks with Cisco NAC Appliance primarily benefit from:

THE FOLLOWING EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER: Configure local storage. Configure Windows Firewall

iscsi : A loss-less Ethernet fabric with DCB Jason Blosil, NetApp Gary Gumanow, Dell

HikCentral V.1.1.x for Windows Hardening Guide

Veeam Cloud Connect. Version 8.0. Administrator Guide

SRM: Can You Get What You Want? John Webster, Evaluator Group.

Network and storage settings of ES NAS high-availability network storage services

Gigabit SSL VPN Security Router

IP Storage Protocols: iscsi. John L Hufferd, Hufferd Enterprises

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

Identify the features of network and client operating systems (Windows, NetWare, Linux, Mac OS)

vsphere Networking Update 2 VMware vsphere 5.5 VMware ESXi 5.5 vcenter Server 5.5 EN

Cisco Certified Network Associate ( )

HikCentral V1.3 for Windows Hardening Guide

IT Exam Training online / Bootcamp

Chapter 2. Switch Concepts and Configuration. Part II

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

vsphere Networking Update 1 Modified on 04 OCT 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management

MTA_98-366_Vindicator930

access addresses/addressing advantages agents allocation analysis

WAN Application Infrastructure Fueling Storage Networks

CCNA Routing and Switching (NI )

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

Radius, LDAP, Radius, Kerberos used in Authenticating Users

CS 416: Operating Systems Design April 22, 2015

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture

Storage Area Network (SAN)

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

NETGEAR-FVX Relation. Fabrizio Celli;Fabio Papacchini;Andrea Gozzi

Configuring PPP over Ethernet with NAT

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

VPN Routers DSR-150/250/500/1000AC. Product Highlights. Features. Overview. Comprehensive Management Capabilities. Web Authentication Capabilities

Networking for Data Acquisition Systems. Fabrice Le Goff - 14/02/ ISOTDAQ

TEXTBOOK MAPPING CISCO COMPANION GUIDES

Wireless LAN Security (RM12/2002)

Exam Questions SY0-401

Network Integration Guide Planning

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Title Month Year. IP Storage: iscsi and FC Extension. Introduction. IP Network Layers - In Practice. IP Network Layers

Junos OS Release 12.1X47 Feature Guide

iscsi Technology Brief Storage Area Network using Gbit Ethernet The iscsi Standard

CISCO EXAM QUESTIONS & ANSWERS

3. What could you use if you wanted to reduce unnecessary broadcast, multicast, and flooded unicast packets?

Use Cases for iscsi and FCoE: Where Each Makes Sense

Cisco EXAM Designing for Cisco Internetwork Solutions. Buy Full Product.

vsphere Networking 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

C H A P T E R Overview Cisco Aironet 1400 Series Wireless Bridges Software Configuration Guide OL

WIALAN Technologies, Inc. Unit Configuration Thursday, March 24, 2005 Version 1.1

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

SWP-0208G, 8+2SFP. 8-Port Gigabit Web Smart Switch. User s Manual

HAReplicator: Remote Replication to iscsi SAN

Microsoft Office SharePoint Server 2007

IndigoVision. Control Center. Security Hardening Guide

Security Fundamentals for your Privileged Account Security Deployment

Study Guide. Module Two

Viewing Network Status, page 116. Configuring IPv4 or IPv6 Routing, page 116. Configuring the WAN, page 122. Configuring a VLAN, page 137

Implementing Cisco Network Security (IINS) 3.0

CompTIA Network+ Study Guide Table of Contents

Configuring PPP over Ethernet with NAT

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Security in Bomgar Remote Support

Obtain the hostname or IP address of Cisco UCS Central. Obtain the shared secret that was configured when Cisco UCS Central was deployed.

Transcription:

April, 2008 Gene Nagle, istor Networks

SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may use this material in presentations and literature under the following conditions: Any slide or slides used must be reproduced without modification The SNIA must be acknowledged as source of any material used in the body of any document containing material from these presentations. This presentation is a project of the SNIA Education Committee. 2

Abstract This presentation will provide an overview of the more advanced capabilities of iscsi storage systems and address best practices that various types of users and managers should consider in order to take maximum advantage of these iscsi features for high availability, performance, security and ease of management. 3

Agenda Managing the iscsi SAN for Availability & Performance Multi-pathing techniques Frame sizes Controller fail-over Managing the iscsi SAN for Security VLANs ACL CHAP IP Sec and encryption SSL for management interface Management tools for Operation of the iscsi SAN iscsi targets - manage by exception iscsi initiators isns Name Service Microsoft VDS SMI-S 4

iscsi Availability & Performance Network topology and settings are vital for optimizing iscsi availability and performance Make the right network configuration choices Enhance availability & performance with multiple paths Choose the right multi-pathing technology Choose larger frame sizes for larger I/O bandwidths Examples: Backup, video streaming Take advantage of advanced features at various network levels Examples: Packet prioritization, Windows Chimney Offload 5

Multi-Pathing: Link Aggregation Groups Link-level path redundancy between network peers Server C All connections on one switch Increase redundancy for higher availability May not provide performance enhancement or (static) load balancing iscsi Disk Array 4-Port Link Aggregation GbE Switch Server B Server A Server A I/O Intense Applications IEEE802.ad industry standard 6

Multi-Pathing: MCS and MPIO Host-centric techniques for dynamic load balancing and fault tolerance where there is more than one path between a server and a storage array. Multiple Connections per Session (MCS): Load balancing & path fail-over among multiple iscsi connections within a single iscsi session Multi-Path I/O (MPIO): Load balancing & path fail-over among multiple iscsi sessions (1 connection per session) within a single I-T-L For fault tolerance: if a port or switch fails, the software (iscsi driver or OS utility) can route the I/O through the other path, transparent to the application. Passive fail-over/fail-back with MCS (session continues on remaining link(s)) Proactive fail-over/fail-back with MPIO For dynamic load balancing: MCS load balancing applies to individual disks/luns exposed to the session MPIO load balancing of all LUNs exposed to a shared target portal 7

MCS and MPIO iscsi gives you multi-pathing choices Match the performance and availability requirements of each server Server C 2-Port MPIO iscsi Disk Array GbE Switch Server A 4-Port MCS Server B 2-Port MPIO 8

HA iscsi RAID There must be physical paths from each server to each controller Biggest failover challenge is when using active-active controllers When the surviving controller takes over all I/O, it must take on the IP addresses of the target nodes presented by the failed controller (Aliasing) 9

Performance & Frame Size Frame Size is also called MTU (Maximum Transmission Unit) Standard Ethernet MTU = 1500 bytes Jumbo Frames can be anything larger than 1500 Normally up to 9000 bytes Jumbo frames are a good complement to Gigabit Ethernet Best Practice Consideration To use jumbo frames every device in the network must be able to handle them & must be configured properly Large MTU sizes can reduce overhead, improve throughput If I/O sizes are small, jumbo frames are under utilized To mix MTU sizes, use VLANs 10

Managing iscsi SAN Security A number of well proven techniques are available to make iscsi SANs secure Most basic measure is isolation of the SAN from other networks This is all that protects most FC SANs Exception: connectivity to the LAN/WAN for management, usually via separate ports from data ports 11

iscsi Security 101: Secure Connections Zoning for iscsi: VLANs A virtual LAN is a technique to segregate network users on the network The VLAN restricts access of specific users to a given target storage system. VLAN zoning is also a way to manage traffic on the network for optimal efficiency and accelerated performance. VPN across an unsecured network Well-established solutions for creating secure, virtual point-to-point IP bridges across un-trusted mediums such as the Internet. Access Control Lists (ACLs) by the iscsi target Authentication and encryption: choices. Secure management connections 12

Using VLANs and VPN for the DR Site LUNs being replicated can be in 2 VLANs One VLAN for primary site access One VLAN for replication Servers VPN Router SAN Switch DR iscsi Array Primary iscsi Arrays 13

Access Control by the iscsi Target A Form of LUN Mapping & Masking: ACL support to the volume level ACLs (alone) have been proven to be insecure in many situations LUN masking: Each LUN may have access to it restricted to a specified iscsi initiator or group of initiators This limits which iscsi initiators can see an iscsi LUN. Typically, just one iscsi initiator has access to an iscsi LUN, preventing write collisions but also providing privacy for that LUN ACL security isn't sufficient when un-trusted users have root access on a system capable of accessing the target 14

Access Control: Read-Only Volumes Read-only volumes can permit multiple users to all have concurrent access to the data and maintain data integrity without managing user privileges Check availability of this feature with your hardware manufacturer 15

Authentication Alternatives CHAP authentication is most common for iscsi RADIUS is primarily used for embedded network devices such as routers, modem servers, switches TACACS+ & LDAP TACACS+ is a Cisco protocol Lightweight Directory Access Protocol, or LDAP is an application protocol for querying and modifying directory services running over TCP/IP LDAP natively provides no protection against sniffing or active attackers IPSec & Kerberos combine authentication and encryption 16

CHAP Authentication Challenge Handshake Authentication Protocol Based on peers (initiators, targets) sharing a secret One-way CHAP: only target authenticates initiator(s) Mutual CHAP: target and initiator authenticate each other CHAP Authentication done during initial iscsi login to authenticate end nodes, restrict access to targets Vulnerable to sniffing Vulnerable to message reflection attacks across multiple connections when two hashes match the password can be compromised Less secure than IP Sec, but less impact on iscsi performance Best Practices for open iscsi SAN At a minimum, the use of one-way CHAP authentication between iscsi initiators and targets is typically recommended Consider isns IPSec for added security 17

Using IPSec IP Security (IPSec) can be used as an alternative to CHAP to ensure that iscsi end points (initiators and targets) are authentic and to maintain privacy and integrity of transferred data (cryptographic integrity) Authentication and Encryption with IPSec IPSec may be used to encrypt authentication and data packets on the network. A common key is set on all IP portals, allowing all peers to authenticate each other and negotiate packet encryption. IPSec provides two levels of security: Authenticates both the initiator and target nodes, preventing the man-in-the-middle type of attacks. Encrypts the data being transferred on the network so that any network snooping that is taking place would only capture garbled data. Best Practice Consideration IPSec creates significant performance overhead 18

Securing the Management Connection The iscsi storage management interface should be secured to prevent unauthorized access from hackers. Particularly true with web-based configuration tools that can be accessed from anywhere. Best Practices: Use Secure Socket Layer (SSL) Encryption for Management Interface Security Use VPN, even within the LAN 19

Security Best Practices Audit iscsi devices and networks to assess risk Security needs to be addressed end to end (host network device) Configure a network topology that minimizes risk of unauthorized access to or modification of data as it traverses the network; Isolate the SAN from other networks Avoid DHCP on the SAN Virtual LANs (VLANs) Extra precautions for distributed data center and remote replication (DR) applications WANs require stronger security measures The level of security that you can set for a storage subsystem depends on the hardware manufacturer. Not all subsystems support all levels of iscsi security Contact your hardware manufacturer 20

Operations Management Best Practices Take advantage of advanced features in iscsi targets High level management by exception Take advantage of advanced features in iscsi initiators Microsoft iscsi initiator Hardware initiators Consider using isns name service Take advantage of advanced management tools Microsoft Virtual Disk Service (VDS) SMI-S 21

Sample iscsi Initiator Use Advanced Settings for security and performance enhancement 22

Using isns iscsi Name Service isns and Discovery Domains iscsi Name Services Groups of iscsi initiators and targets in Domain for logical segmentation iscsi initiators and targets register with the isns Server (similar to DNS) Initiators only discover the targets they are eligible to use isns Best Practice Use unique names not default naming for Domains Important at isns registration to move nodes out of the Default Domain Pool for enumeration and access control Control specific port for isns Server to prevent (Man-In-The-Middle) attacks from a fake isns Server 23

Storage Management with iscsi SMI Storage Management Initiative Interoperable Management Interface > Based on Common Information Model (CIM) from ( DMTF ) Distributed Management Task Force > Runs over HTTP Profiles implement IETF iscsi model > Initiator > Target IMA iscsi Management API Host Driver/HBA Interoperability ANSI 411 24

SMI Discovery Target Nodes SCSI targets World Wide Names ( iscsi Network Portals ( IP Addresses used for Access Paths Logical Unit Numbers Read/Write Permissions Sessions and Connections Current Connections Max Connections Initiator Name Negotiated Parameters Statistics Protocol Data Units Logins Errors 25

SMI iscsi Configuration Target Creation iscsi Nodes iscsi Network Portals ( IP Addresses ) Access Path Creation Volumes to Hosts Logical Units and Permissions 26

Q&A / Feedback Please send any questions or comments on this presentation to SNIA: trackstorage@snia.org Gene Nagle Jay Kramer Scott Baker Many thanks to the following individuals for their contributions to this tutorial. - SNIA Education Committee 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback