In order to truly understand the benefits and power that is built within the iSCSI technology, you need to first try to comprehend just how the security protocols work for these devices and networking technology overall. There are several different key elements that need to be taken into consideration when it comes to the overall security protocol that all fit together just like one completed puzzle.
Focusing on the Authentication
The targets and initiators within the realm of iSCSI technology are able to prove their own identities to one another by effectively using the CHAP protocol that consists of a particular mechanism that was designed to prevent any type of cleartext password from popping up on the wire. On its own, the CHAP protocol is openly exposed and vulnerable to a wide variety of attacks – such as dictionary and reflection attacks as well as spoofing. However, as long as the rules of this particular type of protocol are followed within the iSCSI, the vast majority of these attacks can easily be prevented.
Understanding the Principle of Logical Network Isolation
Most IT administrators and specialists will only run iSCSI through backchannel networks that are logically isolated. Within this particular type of deployment architecture, the only elements that are directly exposed to the general-purpose network internally are the storage arrays’ management ports.
The iSCSI protocol runs over network segments that are dedicated or just through virtual Local Area Networks (or LANS). Since an individual host that is compromised with an iSCSI disk is capable of attacking the resources that are used for storage purposes by other hosts, this specific type of isolation can easily create a transitive trust problem that is rather difficult to resolve.
How Does Physical Network Isolation Work?
Even though it is possible for iSCSI to be isolated logically from the general network exclusively through the use of virtual LANS, this is still not different when compared to all other types of network equipment and still can be used with cables and ports if the signal path between the target and its source is complete.
However, just as is the case with logical network isolation, there is a key security risk that can easily be breached when it comes to physical network isolation of iSCSI as well. One simple cabling mistake can compromise the barriers that have been put in place to maintain this specific type of isolation and may go undetected for quite some time as it is progressively damaging the structure and design of your entire network.
Finding the Right Match for You
You should definitely examine both isolation types thoroughly in order to determine which one will work best for you and fulfill your specific needs. Even though it is apparently clear that neither of them are going to provide you with security that cannot be breached, there is still an abundance of benefits that can be explored and thoroughly enjoying by implementing them within your current IT infrastructure and online network.