Securing storage requires a number of different approaches. In this post, IT pro Rick Vanover shows how one product makes it easy to set iSCSI access lists.
In the iSCSI storage world, it is difficult to take the same approach that you may have had in the fibre channel storage world. Probably the most obvious example in this case is what system sees which LUNs. Of course, it is quite easy in an open storage zone where every system on the storage network will see every available LUN. Further, that open storage zone would be segregated from other traffic at the physical media layer to provide one measure of security.What I’ve come across recently is a nifty little feature on the ReadyNAS series of unified storage products that allows a very important security measure to be put in for iSCSI storage. An iSCSI qualified name (IQN) is assigned to both an iSCSI initiator and the iSCSI target for iSCSI storage networks. What the ReadyNAS series does is allow a very easy interface option to add specific iSCSI initiators to receive a particular LUN. Figure A shows this option within the ReadyNAS web configuration utility: Figure A
Click image to enlarge
What happens when a specific IQN is inserted here is that only one system can connect to that LUN. Other systems can see the target, but are unable to connect to the volume and use it. Further, in this particular example with the ReadyNAS series, multiple IQNs can be added in this section of the configuration of the iSCSI volume to enable clustering and other techniques.Determining the IQN of a server is quite easy. On Windows systems, simply run the “iSCSI Initiator” applet from the Control Panel and go to the configuration tab. On vSphere systems, it is a property of the storage adapter. Figure B shows this section for both an ESXi host and a Windows system: Figure B
Click image to enlarge
I've used the ReadyNAS unit as my example because configuring this option is quite easily done in the interface, and many other unified storage products in this price point don’t have this option available. Separation at network levels may be an option, but with a large number of systems, it may be virtually impossible to deliver many connectivity options on storage controllers with a limited number of network interfaces. The concept of protecting IQNs is, of course, commonplace on larger storage systems, but for smaller unified storage, this is pretty slick.
Does this IQN access control list of sorts appeal to you in such an easy fashion? How do you protect LUNs from accidental loading on other systems? Share your comments below.