|
SSH QuickSec
Toolkit for SAN - Bringing Security to iSCSI
By Enterprise
Storage Forum Staff
Go to page: 2
There are many obstacles on the
road to iSCSI adoption. One of the most significant is that of
security.
In the same way that 'standard'
network transmissions can be intercepted, copied off the network
media and read by a packet analyzer program, iSCSI's use of TCP/IP
as a transport mechanism means that the same could be done to
transmissions between two storage devices that are communicating via
iSCSI. The difference, of course, is that on a standard network
organizations can be very selective about what data is being sent.
In a storage scenario, there is less opportunity to be selective,
and a requirement to transmit considerably more data.
In a LAN environment, the concerns
over security are allayed somewhat by the use of firewalls that
protect data from outside intruders, and by the (sometimes
incorrect) assumption that people within the corporate LAN boundary
would not want to sniff data off the network and read the contents.
But it is in the WAN environment,
where data leaves the (supposedly) safe confines of the LAN and
travels over WAN links, often by unknown means, that the need to
secure data from prying eyes is paramount.
Perhaps the most significant
advantage of iSCSI is that it allows data to be transmitted between
storage devices using standard network links. This makes it possible
to break free of the distance boundaries created by other storage
technologies and transmit data between storage devices over long
distances. Concepts like off site data replication to another state,
country or continent become not just possible, but also feasible
from both a technological and financial perspective. It's a big
benefit, but one that is almost negated if the data being
transferred over the links cannot be secured.
To create a secure mechanism by
which to send data over iSCSI, the storage industry, quite
naturally, looked to the networking industry for solutions. The
solution from a standard networking perspective is to use a security
protocol such as IPSec, the reasoning being that if it's good enough
for standard network transmissions, it's good enough to secure the
traffic between storage devices.
But the problem with any encryption
technology, not just IPSec, is that it degrades the performance
between the two links. The time it takes for the encryption to take
place, which is normally performed by a software component,
increases the latency and so degrades overall performance. In
standard network traffic, this increased latency is seen as an
acceptable price to pay for the security afforded by the encryption.
In the storage industry, where performance is both a key
consideration and an overriding concern, such performance
degradation is unacceptable.
The answer to the puzzle comes in
the form of on-device hardware based encryption and, in the case of
storage, in the shape of the SSH QuickSec Toolkit for SAN, from SSH
Communications Security. The product, which according to SSH, is the
only one of its kind, provides a set of tools for IPSec encryption
that can be implemented through the iSCSI hardware. For additional
security, the QuickSec Toolkit also accommodates Internet Key
Exchange (IKE) and X.509 PKI Client Functionality to ensure that not
only is the data secure while in transport, but that the end-to-end
authentication is also secure.
By implementing the technology at
an on-device hardware level, through a firmware chip, performance
degradation with SSH QuickSec Toolkit for SAN is negligible and the
realization of iSCSI as a storage wide area network (SWAN)
technology comes one big step closer.
|
