Hardware manual

ManualsBrandsDell ManualsComputer equipment6 series

8–1

8 iSCSI target security

Volumes and snapshots are seen on the network as iSCSI targets. It is important to understand how to protect your

volumes and snapshots from unauthorized and uncontrolled access by iSCSI initiators.

About iSCSI access requirements

To access an iSCSI target (for example, a volume or snapshot), an iSCSI initiator must meet the security

requirements identified in Table 8-1.

Table 8-1: Access Requirements for iSCSI Targets

Security Condition Description

Network access To discover targets, the initiator must have network access to the group IP address.

Initiator access controls (Optional) If the initiator enabled target authentication (sometimes calle

d mutual

authentication), the target authentication credentials in the group must match the

credentials configured in the initiator. These credentials apply to all group targets.

See Configuring target authentication on page 8

-4.

Target access controls The initiator must meet all the conditions in one access control record for the target.

See About iSCSI tar

get access controls on page

8-1.

About iSCSI target access controls

PS Series groups use access control records to prevent unauthorized computer access to iSCSI targets (volumes or

snapshots).

A volume and its snapshots share a list of access control records (up to 16 for ea

ch volume). An access control

record can apply to the volume, its snapshots, or both. For example, you can let a computer have access to the

volume and its snapshots or access only to the volume.

When you create a volume, you can set up one access control record. You can later set

up additional records.

To log in to a volume or snapshot, the initiator must comply with conditions specified in one access control record.

u can specify one or more of the following conditions:

• IP address – Restricts access to iSCSI initiators that match the s

pecified IP address (for example,

12.16.22.123). Use asterisks to indicate that any value is accepted in an octet (for example, 12.16.*.*).

• iSCSI initiator name – Restricts access to iSCSI initiators that match the specified name (for example,

iqn.2000-05.com.qlogic.qla-4000.sn00044).

• CHAP user name – Restricts access to computers that supply the specified CHAP us

er name and its associated

password (or “secret”). The credentials must match a local CHAP account or a CHAP account on an external

RADIUS server. See Authenticating initiators through CHAP.

For example, if a volume has only one access control rec

ord, which includes an IP address and CHAP user name,

only a computer with that IP address and the appropriate CHAP credentials can access the volume. If an

administrator creates another record that includes an iSCSI initiator name, a computer with that initiator name can

also access the volume.

You can create an access control record that give

s unlimited compute

r access. However, Dell does not recommend

unlimited computer access unless you are testing access to a target.