SSH QuickSec Toolkit for SAN - Bringing Security to iSCSI
There are many obstacles on the road to iSCSI adoption. One of the most significant is that of security.
In the same way that 'standard' network transmissions can be intercepted, copied off the network media and read by a packet analyzer program, iSCSI's use of TCP/IP as a transport mechanism means that the same could be done to transmissions between two storage devices that are communicating via iSCSI. The difference, of course, is that on a standard network organizations can be very selective about what data is being sent. In a storage scenario, there is less opportunity to be selective, and a requirement to transmit considerably more data.
In a LAN environment, the concerns over security are allayed somewhat by the use of firewalls that protect data from outside intruders, and by the (sometimes incorrect) assumption that people within the corporate LAN boundary would not want to sniff data off the network and read the contents.
But it is in the WAN environment, where data leaves the (supposedly) safe confines of the LAN and travels over WAN links, often by unknown means, that the need to secure data from prying eyes is paramount.
Perhaps the most significant advantage of iSCSI is that it allows data to be transmitted between storage devices using standard network links. This makes it possible to break free of the distance boundaries created by other storage technologies and transmit data between storage devices over long distances. Concepts like off site data replication to another state, country or continent become not just possible, but also feasible from both a technological and financial perspective. It's a big benefit, but one that is almost negated if the data being transferred over the links cannot be secured.
To create a secure mechanism by which to send data over iSCSI, the storage industry, quite naturally, looked to the networking industry for solutions. The solution from a standard networking perspective is to use a security protocol such as IPSec, the reasoning being that if it's good enough for standard network transmissions, it's good enough to secure the traffic between storage devices.
But the problem with any encryption technology, not just IPSec, is that it degrades the performance between the two links. The time it takes for the encryption to take place, which is normally performed by a software component, increases the latency and so degrades overall performance. In standard network traffic, this increased latency is seen as an acceptable price to pay for the security afforded by the encryption. In the storage industry, where performance is both a key consideration and an overriding concern, such performance degradation is unacceptable.
The answer to the puzzle comes in the form of on-device hardware based encryption and, in the case of storage, in the shape of the SSH QuickSec Toolkit for SAN, from SSH Communications Security. The product, which according to SSH, is the only one of its kind, provides a set of tools for IPSec encryption that can be implemented through the iSCSI hardware. For additional security, the QuickSec Toolkit also accommodates Internet Key Exchange (IKE) and X.509 PKI Client Functionality to ensure that not only is the data secure while in transport, but that the end-to-end authentication is also secure.
By implementing the technology at an on-device hardware level, through a firmware chip, performance degradation with SSH QuickSec Toolkit for SAN is negligible and the realization of iSCSI as a storage wide area network (SWAN) technology comes one big step closer.