ISCSIA repeat of Ben’s presentation

WHAT IS ISCSI?

• Internet Small Computer System Interface•A protocol that carries SCSI commands over IP networks•Developed by IBM and Cisco in 1998•A lower-cost alternative to Fibre Channel in SANs

STORAGE AREA NETWORKS

• Traditionally, servers would have their own directly attached storage and backup. This only works for small networks in a single location.

• A Storage Area Network introduces centralized storage and backup, which works better in large networks that are geographically dispersed.

• The key to making a SAN work is the network. Because all the servers are dependent on the centralized storage, the network has to be fast and reliable.

FIBRE CHANNEL

•Classic SANs use Fibre Channel to connect the servers to the centralized storage.

•The advantage of Fibre Channel was the increased performance over TCP – 2 Gbps vs 100 Mbps at the time of introduction.

•The disadvantage of Fibre Channel is the cost – it requires expensive specialized hardware and cabling.

ETHERNET CAUGHT UP

Year Ethernet speed Fibre Channel speed

2001 100 Mbps 2 Gbps

2005 1 Gbps 4 Gbps

2008 10 Gbps 8 Gbps

2011 100 Gbps 16 Gbps

2014 400 Gbps 32 Gbps

ISCSI VS FIBRE CHANNEL

• iSCSI has a lower implementation cost because it can be run over regular TCP networks. Fibre Channel requires expensive specialized hardware.

• Fibre Channel used to be favored for SANs because of the greater performance, but Ethernet is capable of faster speeds now.

• iSCSI runs on the same network as the rest of the business, while Fibre Channel runs on a separate network. This increases the reliability and speed of Fibre Channel somewhat.

HOW ISCSI WORKS

1 = Initiator 2 = Encapsulation 3 = Target

ISCSI NAMES

• Both targets and initiators require names for the purpose of identification. Additionally, names allow for iSCSI storage to be managed regardless of address.

• iSCSI names must be unique, and because iSCSI can be routed the name format is made to be worldwide unique.

• Names are associated with iSCSI nodes.

• iSCSI names are permanent and they are not dependent on address.

ISCSI NAME EXAMPLES

Type: IQN or EUI

Date: This date must be a date during which the naming authority owned the domain name used in this format

Auth: The reversed domain name of the person or organization creating this iSCSI name

Optional colon-prefixed string with the character set and length boundaries that the creator deems appropriate.

ISCSI PDU

• iSCSI defines its own packets that are referred to as iSCSI Protocol Data Units (PDUs).

• iSCSI PDUs consist of a header and possibly data, where the data length is specified in the header.

• An iSCSI PDU is sent as the content of one or more TCP packets.

ISCSI SESSION TYPES

• iSCSI defines two types of sessions:1. Normal operational sessions2. Discovery-sessions – These are only used for

the discovery of iSCSI targets

• The session type is defined during the login phase.

NORMAL OPERATIONAL SESSIONS

• Normal operational sessions have two phases:1. The login phase2. The full feature phase

• The login phase provides basic security to the iSCSI protocol. It has to be successfully completed before the session can go into the full feature phase.

• The full feature phase is where data transfer occurs.

• A session can consist of multiple TCP connections.

ISCSI SIMPLE NAME SERVICE

• iSNS is software that runs on an operating system or iSCSI device

• Both initiators and targets register with the iSNS server

• Responsible for:• Informing iSCSI clients about which targets are available on the

network• Grouping iSCSI clients to their correct domain set• Informing clients about what security aspects – if any – they

must use to associate to targets

ISCSI SIMPLE NAME SERVICE

ISCSI ERROR DETECTION

• Traditional SCSI operations are assumed to be virtually error-free, because direct-attached SCSI devices share a dedicated parallel bus connection, isolated from network disruptions.• iSCSI operates over the network, possibly including the

Internet. iSCSI needs to be able to deal with disruptions caused by this inherently unreliable network infrastructure.

• Both initiators and targets are able to buffer commands until they are acknowledge. For instance, if the initiator wishes to write to the target it keeps the command data in its buffer until it receives an R2T (ready to transmit) message from the target.

ERROR CORRECTION LEVELS

• Detection and recovery within an iSCSI task – for instance retransmission of a missing or corrupt PDU

• TCP connection that carries a task may experience errors. Recovery is attempted through a command restart.

• iSCSI session itself may fail. This means aborting all existing TCP connections for that session, aborting all queued tasks and outstanding commands, and restarting the session through the login phase. This only happens if all other methods of error correction have failed.

ISCSI SECURITY ISSUES

• The compromise of a single iSCSI device equates to the compromise of several (10 to 100) operating systems at once. • Who cares about admin passwords and root access

when the entire data store can be compromised?

TRUSTING INTERNAL PARTIES

• Vendors have this to say about iSCSI security:• “An iSCSI SAN uses Gigabit Ethernet, a switched network with a point-to-point architecture that makes it nearly impossible to snoop or hijack packet unless you have physical access to the network or switches”

• This implies that all internal parties should be trusted, including employees, vendors, business partners, guests, contractors, etc.

TOP ISCSI SECURITY ISSUES

1. iSCSI names are trusted

2. iSCSI authorization is the only required security mechanism, and it relies on iSCSI names.

3. iSCSI authentication is disabled by default

4. Even when iSCSI authentication is turned on, it relies on CHAP – a fairly weak authentication protocol

5. iSNS servers are not protected

6. iSCSI is a clear-text protocol, unless IPSec encryption is used. This is rarely done.

AUTHORIZATION ATTACK

• iSCSI names go over the network in clear-text• They are easy to sniff, guess, or enumerate

• The attacker spoofs his or her iSCSI name and establishes a connection with an iSCSI target

• Since an iSCSI session often consists of multiple TCP connections, nothing suspicious is detected and the attacker instantly gets access to possibly confidential data

ISCSI SIMPLE NAME SERVER ISSUES

• A newly registered iSCSI name will be placed in the default domain set.

• Any member of the domain set will be able to enumerate or access the other nodes in the same domain set• These other nodes can now be used for iQN spoofing attacks.

• Moving iSCSI nodes out of the default domain set and into custom domain sets is an important security mechanism, but many administrators fail to do so.

ISNS MAN-IN-THE-MIDDLE

• Attacker can identify iSNS server by scanning for open port 3205 – iSNS port.

• Using ARP poisoning, a fake iSNS server can be created to replace the real one.

• Attacker can now:• See all registrations (both targets and clients)• Modify or change domain sets• Downgrade domain sets that require security (removing

authentication and encryption)

ISNS MAN-IN-THE-MIDDLE

ISNS DOMAIN HOPPING

• An iSNS server relies on iSCSI names for node identification

• If an attacker simply spoofs his or her iSCSI name to that of the target, the iSNS server will automatically update and overwrite the legitimate node’s information with that of the attacker.• At minimum: DOS• At maximum: Allows unauthorized hosts to access

targets in restricted domains.

ISCSI AUTHENTICATION ATTACK

• Again, authentication is an optional implementation. When enabled, it uses CHAP.• Vulnerable to a brute-force attack• Tools are available that automate this process

ISCSI AUTHENTICATION ATTACK

ISCSI MESSAGE REFLECTION ATTACK

• Attacker requests authentication to an iSCSI target• Receives CHAP ID and Challenge

• Attacker opens a separate connection to the target and forces it to authenticate• RFC states that any iSCSI target must respond to

authentication requests by default

• Attacker receives the correct authentication hash from the target, and can use it in the first connection to authenticate to the target

ISCSI MESSAGE REFLECTION ATTACK

ISCSI SECURITY RECOMMENDATIONS

1. Ensure proper configuration of the iSCSI devices and network

2. Enable mutual authentication, and don’t rely only on CHAP

3. Create multiple discovery domains – only use the default domain set for random registrations

4. Require iSNS IPSec

5. Enable iSCSI IPsec.