iSCSI the new Security Scourge?

Sorry, I could not resist the alliteration.But seriously folks, with security snafus around data back-up in the news lately it is disturbing to read about the latest and greatest in storage: iSCSI.

Sorry, I could not resist the alliteration.

But seriously folks, with security snafus around data back-up in the news lately it is disturbing to read about the latest and greatest in storage: iSCSI. Basically, iSCSI (Pronounced eye-scuzzy) takes a block transfer protocol used to communicate with disk drives and encapsulates it in good old TCP/IP. The reason this is cool is that you can attach a whole bunch of SCSI controllers and hard drives to an existing Ethernet network, or even anywhere on the Internet, and get fast cheap storage solutions without that messy, expensive fiber channel stuff.

Problem: Storage Area Networks (SAN) have always been protected from the usual dangers of networking such as viruses, worms, and hackers because they were totally separate from the IP network. The typical configuration is to run fiber network from all machines that needed to be backed up to the SAN, totally bi-passing Ethernet switches, routers, and firewalls. This was great because firewalls do not do too well at passing traffic at multiple gigabit speeds needed to do effective backup. (Try backing up a couple of terabytes of data through your Checkpoint FW-1 running on a Nokia). So, a fiber channel cable would be run, for instance, right from the machines in the DMZ back to the SAN.

Oh sure, the IETF is working on authentication, even IPSec for iSCSI. That is great and will address the direct security issues. It will do nothing to avoid the dirty traffic that will be hammering your SAN controllers and devices.

Prediction: As iSCSI becomes popular (and it will) there will be more and more cases of storage being wiped out by spurious IP traffic. It is as inevitable as security flaws in Longhorn. :-)