iSCSI Security

As previously discussed, iSCSI natively supports bi-directional authentication. iSCSI authentication occurs as part of the initial session establishment procedure. iSCSI authentication is optional and may transpire using clear text messages or cryptographically protected messages. For cryptographically protected authentication, IETF RFC 3720 permits the use of SRP, Kerberos V5, the Simple Public-Key GSS-API Mechanism (SPKM) as defined in RFC 2025, and the Challenge Handshake Authentication Protocol (CHAP) as defined in RFC 1994. Vendor-specific protocols are also permitted for cryptographically protected authentication. For all other security services, iSCSI relies upon IPsec.

Additional iSCSI security can be achieved by masking the existence of iSCSI devices during the discovery process. Both Internet Storage Name Service (iSNS) Discovery Domains and Service Location Protocol (SLP) Scopes can be leveraged for this purpose. Both of these mechanisms provide limited access control by confining device discovery within administratively defined boundaries. However, this form of security is based on a merit system; no enforcement mechanisms are available to prevent direct discovery via probing. Readers are encouraged to consult IETF RFC 3723 for background information related to iSCSI security.