secure asymmetric iscsi for online storage
DESCRIPTION
Secure Asymmetric iSCSI For Online Storage. Sarah A. Summers Project Proposal Master of Science in Computer Science University of Colorado, Colorado Springs. Introduction. Explosion in data growth has given rise to need for increased storage capabilities. - PowerPoint PPT PresentationTRANSCRIPT
4/13/2007 Master's Project Proposal 1
Secure Asymmetric iSCSI For Secure Asymmetric iSCSI For Online StorageOnline Storage
Sarah A. SummersSarah A. Summers
Project ProposalProject ProposalMaster of Science in Computer ScienceMaster of Science in Computer Science
University of Colorado, Colorado SpringsUniversity of Colorado, Colorado Springs
4/13/2007 2Master's Project Proposal
IntroductionIntroduction
Explosion in data growth has given rise to need Explosion in data growth has given rise to need for increased storage capabilities.for increased storage capabilities.
Increased use of online storage solutions such as Increased use of online storage solutions such as iSCSI.iSCSI.
Storage solutions must provide security, privacy Storage solutions must provide security, privacy and accountability in line with Government and accountability in line with Government regulations (SOX and HIPAA).regulations (SOX and HIPAA).
Standard iSCSI in combination with IPSec Standard iSCSI in combination with IPSec provides security only during transport.provides security only during transport.
4/13/2007 3Master's Project Proposal
GoalsGoals
Enhance the existing Efficient Asymmetric Enhance the existing Efficient Asymmetric Secure iSCSI implementation.Secure iSCSI implementation.
Produce an implementation that is more Produce an implementation that is more complete and user friendly.complete and user friendly.
Investigate the possibilities of using the Investigate the possibilities of using the implementation for disaster recovery.implementation for disaster recovery.
4/13/2007 4Master's Project Proposal
Efficient Asymmetric Secure iSCSIEfficient Asymmetric Secure iSCSI
Andukuri proposed an Efficient Asymmetric Andukuri proposed an Efficient Asymmetric Secure iSCSI scheme to address security of data Secure iSCSI scheme to address security of data during transport and when in place on target.during transport and when in place on target.
Dual-key asymmetric cryptographic enhancement of Dual-key asymmetric cryptographic enhancement of IPSec.IPSec. Payload encrypted with custom key (not shared with Payload encrypted with custom key (not shared with target).target). Packet encrypted with IPSec ESP for transportation.Packet encrypted with IPSec ESP for transportation. Packet decrypted at target.Packet decrypted at target. Payload stored in encrypted from on target.Payload stored in encrypted from on target.
4/13/2007 5Master's Project Proposal
Efficient Asymmetric Secure iSCSI Efficient Asymmetric Secure iSCSI ImplementationImplementation
Encrypted payload
Only headersDecrypted
here
Only headersEncrypted
here
Payload Decrypted here with custom key
To iscsi target
To iscsi initiator
Payload Encrypted
with custom key
Initiator TargetEncrypted
payload
Unencrypted payload
scsi
iscsi
tcp
ip
ipsec
scsi
iscsi
tcp
ip
ipsec
4/13/2007 6Master's Project Proposal
Project Proposal and ScopeProject Proposal and Scope
The current implementation is a prototype, as such The current implementation is a prototype, as such improvements are possible. By examining the improvements are possible. By examining the implementation and associated thesis, the following areas implementation and associated thesis, the following areas have been identified for enhancement/additionhave been identified for enhancement/addition..
Add Graphical User Interface for easier configuration.Add Graphical User Interface for easier configuration.
Enable the transfer of files of arbitrary size.Enable the transfer of files of arbitrary size.
Enable transfer of files to more than one target.Enable transfer of files to more than one target.
Investigate the potential for using the implementation for Investigate the potential for using the implementation for disaster recovery.disaster recovery.
4/13/2007 7Master's Project Proposal
Test-BedTest-Bed
The test-bed shown below was created for the previous The test-bed shown below was created for the previous research, it will be utilized and added to for the current research, it will be utilized and added to for the current project.project.
ISCSI InitiatorISCSI Initiator ISCSI Target ISCSI TargetIP = 128.198.61.92IP = 128.198.61.92 IP = 128.198.61.93 IP = 128.198.61.93Linux: 2.6.12.1Linux: 2.6.12.1 Linux: 2.6.12.1 Linux: 2.6.12.1open-iscsi 0.4-434open-iscsi 0.4-434 iscsitarget-0.4.11 iscsitarget-0.4.11
4/13/2007 8Master's Project Proposal
Graphical User InterfaceGraphical User Interface
Configuration of the current implementation is quite Configuration of the current implementation is quite complex.complex.
Use of a GUI would simplify the process.Use of a GUI would simplify the process.
Simplify key generation and storage.Simplify key generation and storage.
User interface could be used for actual file transfers in User interface could be used for actual file transfers in addition to system configuration.addition to system configuration.
Python will be used to generate the GUIs.Python will be used to generate the GUIs.
4/13/2007 9Master's Project Proposal
Example of Key Generation GUIExample of Key Generation GUI
4/13/2007 10Master's Project Proposal
Transfer of Files of Arbitrary SizeTransfer of Files of Arbitrary Size
Current implementation is limited to the transfer of files in Current implementation is limited to the transfer of files in multiples of 1024 bytes.multiples of 1024 bytes.
Transfer of files of arbitrary size is essential to make the Transfer of files of arbitrary size is essential to make the implementation truly viable.implementation truly viable.
The issue to be solved is padding the files such that The issue to be solved is padding the files such that problems do not arise at the iSCSI layer on the target.problems do not arise at the iSCSI layer on the target.
4/13/2007 11Master's Project Proposal
Transfer of Files to Multiple TargetsTransfer of Files to Multiple Targets
Current implementation allows transfer to one target.Current implementation allows transfer to one target.
Ability to transfer to multiple targets is beneficial.Ability to transfer to multiple targets is beneficial.
Issues to be addressedIssues to be addressed Can the same keys be used for multiple transfers.Can the same keys be used for multiple transfers. For security would different keys be better.For security would different keys be better.
4/13/2007 12Master's Project Proposal
Potential Usage for Disaster Potential Usage for Disaster RecoveryRecovery
In view of Government regulations regarding security, privacy In view of Government regulations regarding security, privacy and accountability of stored data, disaster recovery is of and accountability of stored data, disaster recovery is of increased importance.increased importance.
For security, the current implementation does not share For security, the current implementation does not share the key for encrypting the payload.the key for encrypting the payload.
For disaster recovery this is a problem if the initiator is For disaster recovery this is a problem if the initiator is destroyed.destroyed.
No way to decrypt the payload.No way to decrypt the payload.
Is there a way around this?Is there a way around this?
4/13/2007 13Master's Project Proposal
ToolsTools
UltimateP2VUltimateP2V To produce virtual machine images of the siscsi and To produce virtual machine images of the siscsi and
starget test-bed machines for use on VMWare.starget test-bed machines for use on VMWare.
VMWare ServerVMWare Server Virtual machines on which to develop and test the Virtual machines on which to develop and test the
implementation.implementation.
PythonPython For generation of the graphical user interfaces.For generation of the graphical user interfaces.
4/13/2007 14Master's Project Proposal
Project DeliverablesProject Deliverables
Project Proposal (this document).Project Proposal (this document). GUI’s for configuration of initiator and target GUI’s for configuration of initiator and target
machines.machines. User manuals for GUIs.User manuals for GUIs. Completed implementationCompleted implementation
Code for transfer of files of arbitrary sizeCode for transfer of files of arbitrary size Code for transfer of files to multiple targetsCode for transfer of files to multiple targets
Potential solutions for implementation of disaster Potential solutions for implementation of disaster recovery.recovery.
Final project report and presentationFinal project report and presentation
4/13/2007 15Master's Project Proposal
Project Proposed ScheduleProject Proposed Schedule
Project ProposalProject Proposal 24 April 24 April 20072007
Configuration GUIsConfiguration GUIs 8 May 8 May 20072007
Arbitrary Size File Transfer CodeArbitrary Size File Transfer Code 29 May 29 May 20072007
Transfer to Multiple Target CodeTransfer to Multiple Target Code 11 June 11 June 20072007
Investigation into feasibility of disaster recoveryInvestigation into feasibility of disaster recovery 18 June 200718 June 2007 Final Project ReportFinal Project Report 18 June 18 June
20072007 Presentation MaterialsPresentation Materials 25 June 200725 June 2007
4/13/2007 16Master's Project Proposal
ResearchResearch
Interaction of SCSI and iSCSI for transfer of files over Interaction of SCSI and iSCSI for transfer of files over TCP/IP.TCP/IP.
Understand how IPSec ESP is implemented and Understand how IPSec ESP is implemented and changes added in previous research.changes added in previous research.
Understanding of UltimateP2V to create virtual machine Understanding of UltimateP2V to create virtual machine images.images.
Understanding VMWare for installation and use of virtual Understanding VMWare for installation and use of virtual machines.machines.
4/13/2007 17Master's Project Proposal
Questions?Questions?Recommendations?Recommendations?
4/13/2007 18Master's Project Proposal
ReferencesReferences1.1. Ensuring Data Integrity: Logical Data Protection for Tape Systems,Ensuring Data Integrity: Logical Data Protection for Tape Systems,
http://www.crossroads.com/Library/WhitePapers/FeaturedWhitePapers.asphttp://www.crossroads.com/Library/WhitePapers/FeaturedWhitePapers.asp
2.2. HIPAA. Health Insurance Portability and Accountability Act 1996,HIPAA. Health Insurance Portability and Accountability Act 1996,http://http://www.legalarchiver.org/hipaa.htmwww.legalarchiver.org/hipaa.htm
3.3. The Sarbanes-Oxley Act 2002, The Sarbanes-Oxley Act 2002, http://http://www.legalarchiver.ord/soa.htmwww.legalarchiver.ord/soa.htm
4.4. Andrew Hiles, Surviving a Computer Disaster, Engineering Management Journal, December 1992Andrew Hiles, Surviving a Computer Disaster, Engineering Management Journal, December 1992
5.5. iSCSI for Storage Networking, iSCSI for Storage Networking, http://www.snia.org/tech_activities/ip_storage/iSCSI_for_Storage_Networking.pdfhttp://www.snia.org/tech_activities/ip_storage/iSCSI_for_Storage_Networking.pdf
6.6. Fibre Channel – Overview of the Technology, Fibre Channel – Overview of the Technology, http://http://www.fibrechannel.org/technology/overview.htmlwww.fibrechannel.org/technology/overview.html
7.7. Ulf Troppens, Rainer Erkens and Wolfgang Müller, Storage Networks Explained: Basics and Application of Fibre Ulf Troppens, Rainer Erkens and Wolfgang Müller, Storage Networks Explained: Basics and Application of Fibre Channel SAN, NAS, iSCSI and InfiniBand, 2004, Wiley & Sons Ltd, ISBN: 978-0-470-86182-0Channel SAN, NAS, iSCSI and InfiniBand, 2004, Wiley & Sons Ltd, ISBN: 978-0-470-86182-0
8.8. Jane Shurtleff, IP Storage: A Review of iSCSI, FCIP, iFCP, Jane Shurtleff, IP Storage: A Review of iSCSI, FCIP, iFCP, http://www.iscsistorage.com/ipstorage.htmhttp://www.iscsistorage.com/ipstorage.htm
9.9. Murthy S. Andukuri, Efficient Asymmetric Secure iSCSI, Murthy S. Andukuri, Efficient Asymmetric Secure iSCSI, http://cs.uccs.edu/~gsc/pub/master/msanduku/doc/report_final.dochttp://cs.uccs.edu/~gsc/pub/master/msanduku/doc/report_final.doc
10.10. Marc Farley, Storage Networking Fundamentals: An Introduction to Storage Devices, Subsystems, Applications, Marc Farley, Storage Networking Fundamentals: An Introduction to Storage Devices, Subsystems, Applications, Management, and File Systems, Cisco Press, 2005, ISBN 1-58705-162-1Management, and File Systems, Cisco Press, 2005, ISBN 1-58705-162-1
11.11. Thomas C. Jepsen, Distributed Storage Networks: Architecture, Protocols and Management, 2003, Wiley & Sons Thomas C. Jepsen, Distributed Storage Networks: Architecture, Protocols and Management, 2003, Wiley & Sons Ltd, ISBN:0-470-85020-5Ltd, ISBN:0-470-85020-5
4/13/2007 19Master's Project Proposal
References (continued)References (continued)12.12. Ulf Troppens, Rainer Erkens and Wolfgang Müller, Storage Networks Explained: Basics and Application of Fibre Ulf Troppens, Rainer Erkens and Wolfgang Müller, Storage Networks Explained: Basics and Application of Fibre
Channel SAN, NAS, iSCSI and InfiniBand, 2004, Wiley & Sons Ltd, ISBN: 978-0-470-86182-0Channel SAN, NAS, iSCSI and InfiniBand, 2004, Wiley & Sons Ltd, ISBN: 978-0-470-86182-0
13.13. Yingping Lu and David H. C. Du, Performance Study of iSCSI-Based Storage Subsystems, IEEE Yingping Lu and David H. C. Du, Performance Study of iSCSI-Based Storage Subsystems, IEEE Communications Magazine, August 2003, pp 76-82Communications Magazine, August 2003, pp 76-82
14.14. John L. Hufferd, iSCSI The Universal Storage Connection, Addison Wesley, 2003, ISBN: 0-201-78419-XJohn L. Hufferd, iSCSI The Universal Storage Connection, Addison Wesley, 2003, ISBN: 0-201-78419-X
15.15. iSCSI Technical White Paper, SNIA IP Storage Forum, iSCSI Technical White Paper, SNIA IP Storage Forum, http://www.snia.org/tech_activities/ip_storage/iSCSI_Technical_whitepaper.PDFhttp://www.snia.org/tech_activities/ip_storage/iSCSI_Technical_whitepaper.PDF
16.16. Integration Scenarios for iSCSI and Fibre Channel. SNIA IP Storage Forum,Integration Scenarios for iSCSI and Fibre Channel. SNIA IP Storage Forum,http://www.snia.org/tech_activities/ip_storage/iSCSI_FC_Integration_IPS.pdfhttp://www.snia.org/tech_activities/ip_storage/iSCSI_FC_Integration_IPS.pdf
17.17. Shuang-Yi Tang, Ying-Pang Lu and David H. C. Du, Performance Study of Software-Based iSCSI Security, Shuang-Yi Tang, Ying-Pang Lu and David H. C. Du, Performance Study of Software-Based iSCSI Security, Proceedings of the First International IEEE Security in Storage Workshop (SISW ’02)Proceedings of the First International IEEE Security in Storage Workshop (SISW ’02)
18.18. Friedhelm Schmidt, SCSI Bus and IDE Interface – Protocols, Applications and Programming, Addison-Wesley, Friedhelm Schmidt, SCSI Bus and IDE Interface – Protocols, Applications and Programming, Addison-Wesley, 1995, ISBN: 0201422840 1995, ISBN: 0201422840
19.19. Irina Gerasimov, Alexey Zhuravlev, Mikhail Pershin and Dennis V. Gerasimov, Design and Implementation of a Irina Gerasimov, Alexey Zhuravlev, Mikhail Pershin and Dennis V. Gerasimov, Design and Implementation of a Block Storage Multi-Protocol Converter, Proceedings of the 20th IEEE/11th NASA Goddard Conference on Block Storage Multi-Protocol Converter, Proceedings of the 20th IEEE/11th NASA Goddard Conference on Mass Storage Systems and Technologies (MSS’03)Mass Storage Systems and Technologies (MSS’03)
A Conceptual Overview of iSCSI, http://docs.hp.com/en/6278/iSCSI_OV_whitepaper.pdfA Conceptual Overview of iSCSI, http://docs.hp.com/en/6278/iSCSI_OV_whitepaper.pdf
4/13/2007 20Master's Project Proposal
References (continued)References (continued)
21.21. iSCSI Protocol Concepts and Implementation, iSCSI Protocol Concepts and Implementation, http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns378/http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns378/networking_solutions_white_paper09186a00800a90e4.shtmlnetworking_solutions_white_paper09186a00800a90e4.shtml
22.22. iSCSI Building Blocks for IP Storage Networking, iSCSI Building Blocks for IP Storage Networking, http://www.snia.org/tech_activities/ip_storage/iscsi/iSCSI_Building_Blocks_01.pdfhttp://www.snia.org/tech_activities/ip_storage/iscsi/iSCSI_Building_Blocks_01.pdf
4/13/2007 Master's Project Proposal 21
Additional SlidesAdditional Slides
4/13/2007 22Master's Project Proposal
SCSI (Small Computer Systems Interface)SCSI (Small Computer Systems Interface)
Standard device interface bus for I/O Standard device interface bus for I/O providing both storing and connecting providing both storing and connecting functions.functions.
Dominant storage protocol for many years.Dominant storage protocol for many years. Limitations:Limitations:
Distance over which it can be used (several Distance over which it can be used (several meters).meters).
Scalability (limited number of devices on a Scalability (limited number of devices on a bus).bus).
4/13/2007 23Master's Project Proposal
Basic SCSI ArchitectureBasic SCSI Architecture
4/13/2007 24Master's Project Proposal
iSCSIiSCSI
End-to-end protocol to enable transportation of End-to-end protocol to enable transportation of storage I/O block data over IP networks.storage I/O block data over IP networks.
Utilizing TCP an IP, iSCSI facilitates remote Utilizing TCP an IP, iSCSI facilitates remote backup, storage and data mirroringbackup, storage and data mirroring
Utilizes SCSI commands in its implementation.Utilizes SCSI commands in its implementation. Can be implemented using a number of HBA’s:Can be implemented using a number of HBA’s:
SoftwareSoftware Software with TCP Off-loadSoftware with TCP Off-load Silicon with TCP Off-loadSilicon with TCP Off-load
4/13/2007 25Master's Project Proposal
iSCSI Protocol Layering ModeliSCSI Protocol Layering Model