Storage Basics: Securing iSCSI Using IPSec, Part 2


Want the latest storage insights?

Download the authoritative guide: Enterprise Data Storage 2018: Optimizing Your Storage Infrastructure

In a previous Storage Basics article, we looked at securing IP communications using the IPSec protocol.

With many storage implementations moving toward IP-based solutions such as iSCSI, the importance of securing IP transmissions becomes critical, especially considering that many of the programs we use send clear text across the network. Such applications include FTP, Telnet, POP3 and IMAP.

In a heterogeneous environment, we have the option of securing communication at both the application layer, using protocols such as Secure Sockets Layer (SSL) or the Transport Layer Security (TLS), and on the IP level using IPSec. The purpose of this article is to display how communications are secured using IPSec in a Windows 2003 Server.

We know that out of the box IP lacks security, but for many applications this is not a problem. However, for those communications that require security, we need to configure IPSec. Enabling IPSec using Server 2003 is a straightforward process, but getting the right level of security can be tricky.

Setting Security Levels

In general, there are four security strategies from which to choose when securing data with IPSec. These include:

  • Block transmissions: Block transmissions tell IPSec to block all transmissions from computer A to computer B. The transmission is simply dropped by the receiving system. Blocking all traffic is a heavy-handed approach to a security strategy and is not often used.

  • Encrypt transmissions: The encrypt transmissions option is used when it is necessary to allow communications between computers, but the data must be encrypted to prevent eavesdropping. In such an instance, IPSec is configured using the Encapsulating Security Payload (ESP) protocol to encrypt data. Those attempting to look at the data will see only an unreadable stream of bytes.

  • Sign transmissions: The sign transmissions option is used to prevent "man-in-the-middle" attacks. The Authentication Header (AH) protocol for digitally signing communications adds a bit of data at the end of network packets to verify that the data has not been changed during transit.

  • Permit transmissions to travel unchanged without signing or encryption: This option is the absence of security. Essentially, this allows all traffic to pass without verifying data integrity.

Page 2: Developing an Overall IPSec Security Strategy

Submit a Comment


People are discussing this article with 0 comment(s)