Storage

Put this simple security measure in place for iSCSI storage networks

Securing storage requires a number of different approaches. In this post, IT pro Rick Vanover shows how one product makes it easy to set iSCSI access lists.

In the iSCSI storage world, it is difficult to take the same approach that you may have had in the fibre channel storage world. Probably the most obvious example in this case is what system sees which LUNs. Of course, it is quite easy in an open storage zone where every system on the storage network will see every available LUN. Further, that open storage zone would be segregated from other traffic at the physical media layer to provide one measure of security.

What I’ve come across recently is a nifty little feature on the ReadyNAS series of unified storage products that allows a very important security measure to be put in for iSCSI storage. An iSCSI qualified name (IQN) is assigned to both an iSCSI initiator and the iSCSI target for iSCSI storage networks. What the ReadyNAS series does is allow a very easy interface option to add specific iSCSI initiators to receive a particular LUN. Figure A shows this option within the ReadyNAS web configuration utility: Figure A

Click image to enlarge

What happens when a specific IQN is inserted here is that only one system can connect to that LUN. Other systems can see the target, but are unable to connect to the volume and use it. Further, in this particular example with the ReadyNAS series, multiple IQNs can be added in this section of the configuration of the iSCSI volume to enable clustering and other techniques.

Determining the IQN of a server is quite easy. On Windows systems, simply run the “iSCSI Initiator” applet from the Control Panel and go to the configuration tab. On vSphere systems, it is a property of the storage adapter. Figure B shows this section for both an ESXi host and a Windows system: Figure B

Click image to enlarge

I've used the ReadyNAS unit as my example because configuring this option is quite easily done in the interface, and many other unified storage products in this price point don’t have this option available. Separation at network levels may be an option, but with a large number of systems, it may be virtually impossible to deliver many connectivity options on storage controllers with a limited number of network interfaces. The concept of protecting IQNs is, of course, commonplace on larger storage systems, but for smaller unified storage, this is pretty slick.

Does this IQN access control list of sorts appeal to you in such an easy fashion? How do you protect LUNs from accidental loading on other systems? Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

3 comments
b4real
b4real

Hi mgbell -> Yes, I've used it in SMB situations very successfully. I must disclose that I have 2 units, a ReadyNAS 3100 and an Ultra6; both were provided to me for free from NETGEAR. I like them both. The 3100 does a smidge better, even with 4 drives; I think it has more compute resources. I primarily use it for hosting VMs over iSCSI with vSphere and Hyper-V very successfully. The unified storage capabilities (CIFS) are also super easy.

mgbell
mgbell

Rick, would the ReadyNAS product be suitable for a small business environment (say about 50 users) implemented as a simple file server? Could the Ultra 6 be configured with 3 raid 1 arrays (3 data drives with 1 mirror each)?

b4real
b4real

Also, mgbell -> send me an email at b4real@usa.net if you have any specific questions.

Editor's Picks