HP StorageWorks 1510i Modular Smart Array iSCSI concepts and deployment guide (431338-002, July 2008)

ManualsBrandsHP ManualsStorageHP StorageWorks MSA1510i Controller Module

Table Of Contents

TheserialportonthefrontoftheMSAcontrollerdoesnotrequireanaccountlogintogainaccesstothe

administrative command line interface (CLI). If physical security measures limiting physical access to the

network devices are not maintained, the MSA and other network devices are open to compromise.

In addition, there is only a single account for accessing the SMU, so segmentation among different

individuals is not possible.

Lastly, SMU and CLI commands such as reset management_login do not contain username

password authentication and can result in the unauthorized update of MSA conﬁguration settings.

Data security

Data contained on the MSA1510i is safeguarded through several mechanisms. These include:

• Initiator access grants — For an initiator to access an MSA target, the unique, qualiﬁed iSCSI initiator

name must be entered in the target setup information in either the HP Storage Management Utility

(SMU) or the MSA Command Line Interface (MSA-CLI). At the highest level, initiator access grants

determine if a given initiator may access the device. Unfortunately protections against initiator

impersonation do not exist and any initiator can assume the name of a registered initiator and

gain acces

stostorage.

• Access control lists — LUN level access control lists are another mechanism to prevent access to a

speciﬁc LUN, but again there are no provisions in place to prevent a given initiator from assuming the

role of an intended server. ACLs are built in the SMU or MSA CLI.

• Mutual CH

AP authentication — the Challenge Handshake Authentication Protocol (CHAP) is a security

method th

at hashes a password (secret) and veriﬁes a match between a target and its authorized

initiators. Mutual CHAP ensures that both the initiator and the target are the intended initiator and

target, instead of a unit posing as a storage target or an initiator impersonating an intended initiator.

CHAP secrets are passwords entered in both the target and initiator software tools that must match in

order to gain access. In mutual CHAP environments, there are two passwords: one for the target

and one for the initiator. These passwords should match the standard practices for the environment

and be rotated on a regular basis.

•TheMi

crosoft iSCSI Initiator supports both one-way and mutual CHAP. The usage model assumed

by the

MicrosoftiSCSIinitiatoristhateachtargetcanhaveitsownuniqueCHAPsecretfor

one-

way CHAP and the initiator itself has a single secret for mutual CHAP with all targets. The

Micr

osoft iSCSI initiator can persist the target CHAP secret for each target by using the iSCSI-CLI

AddS

taticTarget command. The secret is encrypted before persisting to restrict access to only

the

MicrosoftiSCSIInitiator. Ifthetargetsecretispersisted,itdoesnotneedtobepassedon

every login attempt. Alternatively a management application such as the iSCSI initiator control

panelappletcanpassthetargetCHAPsecretateachloginattempt.Forpersistenttargets,the

target CHAP secret is persisted along with the other information used to log in to the target. The

target CHAP secret for each persistent target assigned to the Microsoft iSCSI Initiator kernel mode

driver are also encrypted before being persisted.

•C

HAP requires the initiator to have a username and a secret. The CHAP username is typically

passed to the target and the target will look up the secret for that username in its private table. By

default, the Microsoft iSCSI initiator uses the initiator node name as the CHAP username.

• WhenaniSCSItargetisconﬁgured with a CHAP secret, it allows an initiator to log in only if it has

the same secret. The CHAP mechanism encrypts the secret so that it is not transmitted in plain

text. Mutual CHAP authentication means that the iSCSI target has to prove itself back to the

iSCSI initiator. When mutual CHAP authentication is enabled, the iSCSI initiator also checks that

the iSCSI target has knowledge of its secret.

• While the CHAP secrets prevent an unwanted server from attaching to a particular target, it is not

necessarily an effective mechanism for segmenting off particular LUNs associated with the target.

For example, one could have three LUNs mapped to a target with three servers attaching to the

same target. In this scenario, the CHAP mechanism would not segment the server trafﬁcacross

the three LUNs — ACLs should also be set up.

Security