IPSEC and iSCSI

Thomas Ptacek | November 22nd, 2005 | Filed Under: Matasano, New Findings

A commenter writes:

Just configure IPSEC on the initiator and the targets and get it over with. iSCSI CHAP is not for security, it really just for avoiding simple mistakes like attaching to the wrong target and starting doing I/O.

According to Himanshu at iSEC Partners, nobody uses IPSEC for iSCSI. It’s perceived to hurt performance, deployability, and compatibility (WinAD IPSEC doesn’t interoperate with SAN appliances). But beyond that:

  1. The iSCSI vendors themselves, including LeftHand and Network Appliance, tout CHAP as the primary security feature of the protocol.
  2. Since iSCSI has no security beyond authentication, using IPSEC does very little to change the equation: compromise any machine that can make an IPSEC association with an iSCSI target and you’ve still got game-over access.

Updated 11/23 from Alex’s comments

1 Comment so far

  • Alex

    November 22nd, 2005 5:35 pm

    Yeah, we find that it is extremely rare for iSCSI to be deployed in production, mostly due to:
    a) Performance concerns
    b) The need to provide volumes to arbitrary clients without configuration.
    c) The incompatibility between iSCSI device IPsec and commonly deployed opportunistic IPsec stacks, such as Windows AD-enabled IPsec.

    BTW, its spelled Himanshu. :)

    • Leave a reply