Share via


iSCSI Security

Applies To: Windows Server 2008

You can use Storage Explorer to configure the iSCSI security settings that initiators in your storage area network (SAN) require to connect to targets and target portals. There are several levels of security available for iSCSI, and you must choose those that the target or target portal requires.

Important

This feature enables you to perform a select subset of the tasks that relate to iSCSI configuration and administration. You can also perform these and other tasks using the Microsoft iSCSI Initiator, which is included in Windows Server 2008 in Administrative Tools. Additionally, vendors of networking and storage solutions provide similar tools to perform iSCSI configuration and administration tasks. For more information about iSCSI, see https://go.microsoft.com/fwlink/?LinkId=102299.

Storage Explorer supports the following iSCSI security levels:

  • CHAP authentication

  • RADIUS authentication

  • IPsec authentication and encryption

CHAP authentication

Challenge Handshake Authentication Protocol (CHAP) is the basic level of security. CHAP is a protocol that is used to authenticate the peer of a connection and is based upon the peers sharing a secret (a security key that is similar to a password).

There are two types of CHAP authentication:

  • One-way CHAP authentication. With this level of security, only the iSCSI target authenticates the initiator. The secret is set just for the target. All initiators that want to access that target need to use the same secret to start a logon session with the target.

  • Mutual CHAP authentication. With this level of security, the iSCSI target and the initiator authenticate each other. A separate secret is set for each target and for each initiator in the SAN.

Warning

At a minimum, use one-way CHAP authentication between iSCSI initiators and targets.

RADIUS authentication

Remote Authentication Dial-In User Service (RADIUS) is a popular standard used for maintaining and managing user authentication and validation. Unlike CHAP, authentication with RADIUS is not performed between peers, but between a RADIUS server and a client. When a user (an iSCSI initiator) wants to access the resources in a client (an iSCSI target), the client sends a user connection request to the RADIUS server. The RADIUS server is responsible for authenticating the user and then returning all configuration information necessary for the client to deliver service to the user. Transactions between the client and the RADIUS server are also authenticated through the use of a shared secret.

To use this level of security, you must have a RADIUS server running on your network, or you must deploy one.

IPsec authentication and encryption

Internet Protocol security (IPsec) is a protocol that enforces authentication and data encryption at the IP packet layer. IPsec can be used in addition to CHAP or RADIUS authentication to provide an added level of security.

When you enable IPsec, all IP packets sent during data transfers are encrypted and authenticated. A common key is set on all IP portals, which allows all peers to authenticate each other and negotiate packet encryption. For more information, see IPsec (https://go.microsoft.com/fwlink/?linkid=93520).

Additional considerations

  • The level of security that you can set for a storage subsystem depends on the hardware manufacturer. Not all subsystems support all levels of iSCSI security. You should contact your hardware manufacturer to verify what level of security is supported.

  • The most secure CHAP secrets are not words or phrases, but a random sequence of characters.

Additional references