Storage Basics: Securing iSCSI using IPSec
In recent years, iSCSI has emerged as a viable, cost-effective alternative to its more expensive counterpart, Fibre Channel, and is now regularly used to connect servers and SANs over a wide area network. One of the attractions of IP-based storage options such as iSCSI is that they allow the existing IP-based infrastructure to be used, obviating the need to upgrade to more costly equipment and complex solutions such as Fibre Channel.
Since iSCSI uses the IP protocol, it therefore relies on IP security protocols. Unfortunately, basic IP transmissions lack security, allowing anyone with the know how and inclination to intercept or modify IP communications. One of the more popular methods used for securing IP communications is the IP Security Protocol (IPSec). IPSec is an IP layer-based security protocol, which is in contrast to other security protocols like SSL that operate at the application layer of the OSI model.
To create secure data transmissions, IPSec uses two separate protocols: Authentication Headers (AH) and Encapsulating Security Payloads (ESP). AH is primarily responsible for the authentication and integrity verification of packets. It provides source authentication and integrity for data communication but does not provide any form of encryption.
AH is capable of ensuring that network communications cannot be modified during transmission; however, it cannot protect transmitted data from being read. AH is often implemented when network communications are restricted to certain computers. In such instances, AH ensures that mutual authentication must take place between participating computers, which, in turn, prohibits network communications from occurring between non-authenticated computers.
ESP is responsible for providing encryption services for the network data; however, it can also be used for authentication and integrity services. The difference between AH authentication and ESP authentication is that ESP includes only the ESP header, trailer, and payload portions of a data packet, whereas AH protects the entire data packet, including the IP header.
Used together, AH and ESP provide integrity, authentication, and encryption protection for IP-based communications. To make this happen, IPSec uses a variety of security protocols. To better understand the level of protection IPSec can provide, let’s take a look at each of these security protocols individually.
IPSec Integrity Protocols
When we refer to integrity verification, we are talking about hash algorithms that are used to verify that the information received is exactly the same as the information sent. A hash algorithm is essentially a cryptographic checksum used by both the sender and receiver to verify that the message has not been changed. If the message has changed in transit, the hash values are different and the packet is rejected.
When configuring IPSec integrity security, there are two options: Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA1). Of the two, SHA1 is more secure than MD5, but it requires more CPU resources. MD5 offers a 128-bit hashing algorithm, while SHA1 uses an algorithm that generates 160-bit authentication.