Storage Basics: Securing iSCSI Using IPSec, Part 2

Continued from Page 2

Configuring IPSec Security

Once the level of IPSec security has been identified, the next step is to configure IPSec security. The IPSec policy configuration is the translation of your security requirements into one or more IPSec policies, only one of which can be assigned at the domain, site, organizational unit, or local level. Each IPSec policy consists of one or more IPSec rules, with each IPSec rule consisting of a filter list, filter action, authentication method and connection type.

The filter list determines which IP traffic is to be affected by the security rule. Once the filter list is triggered, then the filter action is applied. The filter actions identify how security will be handled for the IP addresses identified in the filter list. There are three actions that can be taken when configuring IPSec filter actions:

• Permit: The Permit IPSec security option is the absence of security. Packets are allowed to travel around the network without IPSec protection.
  


• Block: On the other side of the security spectrum is the Block option. When the block filter option is used, a protocol that matches the associated IP filter will not be accepted on the network.
  


• Negotiate Security: If an IPSec filter is matched, the Negotiate Security option enables the administrator to set the encryption and algorithms that must be used to secure data transmissions.

Another key element to IPSec rules is authentication. There are three different authentication methods we can assign to an IPSec rule:

• Kerberos: Kerberos V5 is the default authentication technology used with Server 2003. Kerberos provides the primary security protocol for authentication within a domain. When used, it verifies both the identity of the user and network services. Advantages of Kerberos include interoperability and the fact that it can provide mutual authentication between the user and the server. Kerberos can provide authentication between Server 2003 domains and systems in a UNIX environment that is using Kerberos for authentication.
  


• Public Key Certificates (PKI): PKIs are used to authenticate clients that are not members of a trusted domain, non-Windows clients, or computers that are not running the Kerberos V5 authentication protocol. The authentication certificates are issued from a system acting as a Certification Authority (CA).
  


• Preshared Keys: In preshared key authentication, computer systems must agree on a shared, secret key to be used for authentication in an IPSec policy. Preshared keys are only to be used where certificates and Kerberos cannot be deployed.

Page 4: Predefined IPSec Policies