There are many obstacles on the road to iSCSI adoption. One of the most significant is that of security.
In the same way that ‘standard’ network transmissions can be intercepted, copied off the network media and read by a packet analyzer program, iSCSI’s use of TCP/IP as a transport mechanism means that the same could be done to transmissions between two storage devices that are communicating via iSCSI. The difference, of course, is that on a standard network organizations can be very selective about what data is being sent. In a storage scenario, there is less opportunity to be selective, and a requirement to transmit considerably more data.
In a LAN environment, the concerns over security are allayed somewhat by the use of firewalls that protect data from outside intruders, and by the (sometimes incorrect) assumption that people within the corporate LAN boundary would not want to sniff data off the network and read the contents.
But it is in the WAN environment, where data leaves the (supposedly) safe confines of the LAN and travels over WAN links, often by unknown means, that the need to secure data from prying eyes is paramount.
Perhaps the most significant advantage of iSCSI is that it allows data to be transmitted between storage devices using standard network links. This makes it possible to break free of the distance boundaries created by other storage technologies and transmit data between storage devices over long distances. Concepts like off site data replication to another state, country or continent become not just possible, but also feasible from both a technological and financial perspective. It’s a big benefit, but one that is almost negated if the data being transferred over the links cannot be secured.
To create a secure mechanism by which to send data over iSCSI, the storage industry, quite naturally, looked to the networking industry for solutions. The solution from a standard networking perspective is to use a security protocol such as IPSec, the reasoning being that if it’s good enough for standard network transmissions, it’s good enough to secure the traffic between storage devices.
But the problem with any encryption technology, not just IPSec, is that it degrades the performance between the two links. The time it takes for the encryption to take place, which is normally performed by a software component, increases the latency and so degrades overall performance. In standard network traffic, this increased latency is seen as an acceptable price to pay for the security afforded by the encryption. In the storage industry, where performance is both a key consideration and an overriding concern, such performance degradation is unacceptable.
The answer to the puzzle comes in the form of on-device hardware based encryption and, in the case of storage, in the shape of the SSH QuickSec Toolkit for SAN, from SSH Communications Security. The product, which according to SSH, is the only one of its kind, provides a set of tools for IPSec encryption that can be implemented through the iSCSI hardware. For additional security, the QuickSec Toolkit also accommodates Internet Key Exchange (IKE) and X.509 PKI Client Functionality to ensure that not only is the data secure while in transport, but that the end-to-end authentication is also secure.
By implementing the technology at an on-device hardware level, through a firmware chip, performance degradation with SSH QuickSec Toolkit for SAN is negligible and the realization of iSCSI as a storage wide area network (SWAN) technology comes one big step closer.
The first adopters of the SSH QuickSec Toolkit for SAN are Adaptec who will be integrating the functionality into upcoming iSCSI products. Earlier this month, SSH announced that they had entered into an agreement with Adaptec to develop IPSec capable iSCSI storage networking devices. The agreement allows Adaptec to be the first to market with hardware based IPSec capable iSCSI devices, a step they see as being instrumental in the market acceptance of iSCSI.
“The availability of robust, standards based, interoperable security solutions, are critical for the broad deployment of iSCSI and TCP offload,” said Ram Jayam, vice president and general manager of Adaptec’s Storage Networking Group. “Integrating SSH’s QuickSec Toolkit for SAN software with our innovative security hardware will provide time-to-market advantages and enable security for data and storage networks.”
While Adaptec are the first to form an alliance with SSH, Byron Rashed, senior marketing communications manager for SSH foresees other relationships developing in the future. “Any company that makes, or will make in the future, storage products with iSCSI can utilize the power and flexibility if the SSH QuickSec Toolkit for SAN.” The use of industry standard encryption makes the SSH QuickSec Toolkit for SAN suitable for many applications – a key consideration for SSH during the development of the product. “The product is the result of our significant investment in R&D, and of our participation in the standards process such as our work with the IETF.” said Rashed.
Although neither IPSec nor iSCSI are ‘new’ technologies, it is the way in which the SSH QuickSec Toolkit for SAN is implemented which makes it a significant step forward in iSCSI development, as Jussi Kukkonen, product manager for SSH explains. “By using the appropriate offloading components, it’s possible to get wire speed security. In reality, this is no more than people should expect. It’s unreasonable to think that people would buy into a technology that reduces system performance when almost every other purchase is made with increased performance in mind.”
As a company, SSH Communications Security is hardly new to the security arena – their SSH Secure Shell product (from which the company name is derived) has long been accepted as the de facto standard in secure remote access, encrypted file transfer and terminal connection software. The company also produces a range of other security and authentication related products all of which are based around accepted industry standards.
Because of the nature of the SSH QuickSec Toolkit for SAN product, it is only available as a source code package to hardware manufacturers who wish to integrate the functionality into their devices. SSH are happy to work with companies to jointly develop products with the SSH QuickSec Toolkit family capability, or to just supply the code to allow companies to develop products on their own.
There are still many obstacles to be overcome before wide-scale market acceptance of iSCSI, but with products like the QuickSec Toolkit for SAN, SSH has ensured that security is not one of them.