What Is iSCSI and How Does It Work?

iSCSI stands for Internet Small Computer Systems Interface. iSCSI is a transport layer protocol that works on top of the Transport Control Protocol (TCP). It enables block-level SCSI data transport between the iSCSI initiator and the storage target over TCP/IP networks. iSCSI supports encrypting the network packets, and decrypts upon arrival at the target.

SCSI is a block-based set of commands that connects computing devices to networked storage, including spinning up storage media and data reads/writes.

The protocol uses initiators to send SCSI commands to storage device targets on remote servers. Storage targets may be SAN, NAS, tape, general-purpose servers – both SSD and HDD – LUNs, or others. The protocol allows admins to better utilize shared storage by allowing hosts to store data to remote networked storage, and virtualizes remote storage for applications that require direct attached storage.


The iSCSI protocol plays an important play in many different network configurations.

iSCSI Components

iSCSI Initiator, HBA, or iSOE

These technologies package SCSI commands into network packets and direct them to the storage target. The software-based iSCSI initiator is the least expensive of the options, and is often included in the operating system (OS).

Host-based adapters (HBA) is a hardware device. HBAs are more expensive than software, but higher performance with more functionality. A hardware alternative is to the full HBA is an iSOE card with an iSCSI offload engine. The engine offloads the initiator operations from the host processor, which frees up CPU cycles on the host servers.

iSCSI Target

iSCSI transports packets across TCP/IP networks. The iSCSI target is the remote storage, which appears to the host system as a local drive. The iSCSI protocol links the hosts and storage over IP networks: LAN, WAN, and Internet.

When the packets arrive at the iSCSI target, the protocol disassembles the packets to present SCSI commands to the operating system. If iSCSI has encrypted the network packet, it decrypts the packet at this stage.

iSCSI Performance

iSCSI performance is highly dependent on underlying technologies like 10 Gigabit Ethernet (10 GbE) and bridging technology in the data center.

  • 10 GbE. Ethernet network connection speed has the single largest impact on iSCSI performance. Although smaller networks may run iSCSI protocols over 1 GbE networks, the slower speed is insufficient for mid-sized or enterprise data centers. Admins may increase some performance on a sub-10 GbE network by adding multiple NICs, but a single switch will not boost speed for multiple iSCSI ports. 10 GbE is the recommended speed for an enterprise storage environment. Because it is a wider pipe, there is little call for multiple NICs. Instead, adding server-class network adapters will accelerate iSCSI packets traveling the 10 GbE network.
  • Data center bridging. Bridging is a set of Ethernet extensions that protect SCSI traffic against data loss. This allows iSCSI to better compete with highly reliable Fiber Channel, which has run over lossless connections for years.
  • Multipathing. Multipathing I/O speeds up iSCSI network packets, and most operating systems support the technology. Typical iSCSI multipathing features assign multiple addresses to a single iSCSI session, which accelerates data transport.
  • Jumbo frames. These 9000-byte frames relieve congestion on slower Ethernet networks that are not using 10 GbE, which gives a performance boost of about 10-20 percent. Jumbo frames will not give much of a performance boost in 10 GbE, if any.

iSCSI and Fibre Channel: Two Main Approaches to Storage Data Transmission

iSCSI and Fibre Channel (FC) are leading methods of transmitting data to remote storage. In general, FC is a high-performance but expensive storage network that requires specialized admin skill sets. iSCSI is less expensive and simpler to deploy and manage, but has higher latency.

There are additional protocols that merge the two. The best-known include Fibre Channel over IP (FCIP), a tunneling protocol for SAN-to-SAN replication that wraps the FC frame onto the TCP stream; and Fibre Channel over Ethernet (FCoE) that enables FC SANs to transport data packets over Ethernet networks.

When to Implement iSCSI Over FC

  • When cost is an issue. iSCSI saves on costs over FC because it connects application servers to shared storage without expensive hardware or cabling.
  • When you want to connect many hosts to a single storage target. Oversubscription ratio is the number of hosts that FC or iSCSI will support on a single target device. FC ratios generally support 4:1 up to 20:1, but iSCSI can support many more hosts to a single storage target.
  • When talent is a concern. FC SANs are expensive to deploy and maintain, and require admins with specialized skillsets. An iSCSI SAN runs on existing Ethernet networks, and generalist IT can learn how to install and run them.

iSCSI and Storage Targets

Typical targets include SAN, NAS, tape, and LUNs.

  • SAN presents shared virtual storage pools to multiple servers. For an Ethernet SAN, host servers use iSCSI to transport block-based data to the SAN.
  • NAS supports iSCSI targets. For example, in Windows environments the OS acts as an initiator, so an iSCSI share on a NAS displays as a local drive.
  • Tape. Many tape vendors enable iSCSI support on their tape drives, which allows iSCSI initiators to use the tape drive as its storage target.
  • LUN. A logical unit number uniquely identifies a collection of physical or virtual storage devices. The iSCSI initiator maps to specific iSCSI LUNs as its target. Upon receiving the SCSI network packet, the target serves up its LUNs as available storage.

iSCSI Limitations

Deploying iSCSI is not particularly difficult, especially with software-defined protocols. But configuring the iSCSI initiator and target takes extra steps, and 10 GbE is a necessity for high performance. Additional best practices for supporting traffic loads include running iSCSI traffic on a separate physical network or distinct virtual LAN.

Security is another concern, since iSCSI is vulnerable to packet sniffing. Packet sniffing is a cyberattack where an attacker’s malware or device captures packets moving across a vulnerable network. Admins can take security measures to prevent this, but many storage or generalist admins in smaller companies skip extra security measures in order to simplify iSCSI management.

This is rarely a good plan, since defenses against packet sniffing are easily available. The primary defenses against this attack type is Challenge-Handshake Authentication Protocol (CHAP) and Internet Protocol Security (IPsec), both specific to iSCSI.

CHAP works by acknowledging a link between the initiator and target. Before the data transmits, CHAP sends a challenge message to the connection requestor. The requestor sends back a value derived from a hash function for the server to authenticate. If the hash values match, the link activates. If it does not, CHAP terminates the connection.

For iSCSI packets running across an Internet network, the IPsec protocol authenticates and encrypts data packets sent over an Internet network. Its primary use is in IPsec mutually authenticates between agents (host-to-host, network-to-network, or network-to-host). The protocol also negotiates encryption and decryption during the session, and supports data-origin and network-level peer authentication, and data integrity validation. Since IPsec is complex to deploy and configure, its primary usage is in VPNs (virtual private networks) transporting highly sensitive data.

Additional iSCSI security measures include using access control lists (ACLs) to control user data access and secure management consoles.

Christine Taylor
Christine Taylor
Christine Taylor is a writer and content strategist. She brings technology concepts to vivid life in white papers, ebooks, case studies, blogs, and articles, and is particularly passionate about the explosive potential of B2B storytelling. She also consults with small marketing teams on how to do excellent content strategy and creation with limited resources.

Latest Articles

How to Secure Direct-Attached Storage (DAS): 5 Steps

Direct-attached storage (DAS) security is critical for all companies that use solid-state drives (SSDs), hard disk drives (HDDs), or arrays in conjunction with their...

Network-Attached Storage (NAS) Security: Everything You Need to Know

Network-attached storage (NAS) security is the measures a company takes to protect critical enterprise and customer data within NAS environments from both internal and...

What is Direct-Attached Storage (DAS) Security?

Direct-attached storage (DAS) security helps businesses protect the data stored on their flash drives, hard disk drives (HDDs), and arrays.  DAS connects directly to computers...