Results 1 to 7 of 7

Thread: will password be exposed to internet when encrypting iSCSI target

  1. #1
    Join Date
    Mar 2006
    Beans
    194

    will password be exposed to internet when encrypting iSCSI target

    Now I setup an iSCSI target for storage RAID and hope to access my data on storage RAID anywhere through internet by using initiators. For security concerns, I use dmsetup/luks encrypting all data storage on RAID from initiators side, then all data can be thought safe in both transmission though internet and on RAID if no other interface to access these data.

    My question now is

    if or not the first password using to open luks volume will expose to internet unencrytedly? I have read some about protocol used by iSCSI but I am still not clear about how the password be transfered encrypted or not. Thanks!

  2. #2
    Join Date
    Mar 2006
    Beans
    194

    Re: will password be exposed to internet when encrypting iSCSI target

    Anyone can help me to answer this security question? Your idea is greatly appreciated. Thank you for your help!

  3. #3
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,541
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: will password be exposed to internet when encrypting iSCSI target

    Quote Originally Posted by say2sky View Post
    Now I setup an iSCSI target for storage RAID and hope to access my data on storage RAID anywhere through internet by using initiators.
    I fail to see why you would do that? Why not have a server and then access it via e.g. OpenVPN or SSH?

    I definitely would not expose my storage directly to the Internet.

  4. #4
    Join Date
    Mar 2006
    Beans
    194

    Re: will password be exposed to internet when encrypting iSCSI target

    Quote Originally Posted by scorp123 View Post
    I fail to see why you would do that? Why not have a server and then access it via e.g. OpenVPN or SSH?

    I definitely would not expose my storage directly to the Internet.
    Thanks for your suggestion. I indeed use SSH and VPN to access file and directory now and it work very well.

    Now I just hope to find if security access can be achieved by directly using block device iSCSI interface when all the data on it is already encrypted and if it will have same security strength and transmission speed. Any clue about these aspect?

  5. #5
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,541
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: will password be exposed to internet when encrypting iSCSI target

    Quote Originally Posted by say2sky View Post
    Now I just hope to find if security access can be achieved by directly using block device iSCSI interface when all the data on it is already encrypted
    Still, I'd only use stuff like that via VPN or through a SSH tunnel and not expose more things to the Internet than what really needs to be exposed.

  6. #6
    Join Date
    May 2006
    Location
    Switzerland
    Beans
    2,541
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: will password be exposed to internet when encrypting iSCSI target

    As I already wrote above ... I would not expose this directly to the Internet but rather establish SSH tunnels or do all of this via VPN. See below:

    http://en.wikipedia.org/wiki/ISCSI#Authentication
    " ... iSCSI initiators and targets prove their identity to each other using the CHAP protocol, which includes a mechanism to prevent cleartext passwords from appearing on the wire. By itself, the CHAP protocol is vulnerable to dictionary attacks, spoofing, or reflection attacks ..."
    http://en.wikipedia.org/wiki/ISCSI#C..._and_integrity
    " ... For the most part, iSCSI is a cleartext protocol that provides no cryptographic protection for data in motion during SCSI transactions. As a result, an attacker who can listen in on iSCSI ethernet traffic can:

    * Reconstruct and copy the files and filesystems being transferred on the wire

    * Alter the contents of files by injecting fake iSCSI frames

    * Corrupt filesystems being accessed by initiators, exposing servers to software flaws in poorly-tested filesystem code.

    These problems are not unique to iSCSI, but rather apply to any IP-based SAN protocol without cryptographic security. Though IPSec is frequently cited as a solution to the IP SAN security problem, performance and compatibility concerns retard its deployment ...
    "iSCSI over distance: how to avoid disappointment"
    http://www.thefreelibrary.com/iSCSI+...nt-a0129357484

  7. #7
    Join Date
    Mar 2006
    Beans
    194

    Re: will password be exposed to internet when encrypting iSCSI target

    Quote Originally Posted by scorp123 View Post
    As I already wrote above ... I would not expose this directly to the Internet but rather establish SSH tunnels or do all of this via VPN. See below:

    http://en.wikipedia.org/wiki/ISCSI#Authentication


    http://en.wikipedia.org/wiki/ISCSI#C..._and_integrity


    "iSCSI over distance: how to avoid disappointment"
    http://www.thefreelibrary.com/iSCSI+...nt-a0129357484
    Thanks a lot for your info and link about performance problem for long distance iSCSI through TCP.

    In the past I already read wiki article iSCSI, but I am not very clear if implementing initiator encryption can overcome the weak aspect of iSCSI protocol.

    After think it again Now I know that initiator side encryption can not bypass CHAP protocol, so the security weakness is still there.

    Thanks again your info let me know a lot more about iSCSI.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •