1 / 52

Secure Asymmetric iSCSI For Online Storage

Secure Asymmetric iSCSI For Online Storage. Sarah A. Summers. Outline of Presentation. Goals of the Project Overview of SCSI, iSCSI and IPsec Review of Efficient Asymmetric Secure iSCSI Testing of Efficient Asymmetric Secure iSCSI Motivation for Enhancements Proposed Enhancements

kathryna
Download Presentation

Secure Asymmetric iSCSI For Online Storage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Asymmetric iSCSI For Online Storage Sarah A. Summers Summers - SAiSCSI

  2. Outline of Presentation • Goals of the Project • Overview of SCSI, iSCSI and IPsec • Review of Efficient Asymmetric Secure iSCSI • Testing of Efficient Asymmetric Secure iSCSI • Motivation for Enhancements • Proposed Enhancements • Results • Disaster Recovery • Additional Research • Lessons Learnt, Future Work, Conclusions Summers - SAiSCSI

  3. Goals • Enhance the existing Efficient Asymmetric Secure iSCSI scheme to: • Enable the transfer of files of arbitrary size • Allow files to be transferred to two target storage devices for mirroring and backup. • Develop and implement a user interface to simplify usage of the scheme • Consider the use of the scheme for disaster recovery Summers - SAiSCSI

  4. Overview of SCSI, iSCSI and IPsec Summers - SAiSCSI

  5. SCSI Summers - SAiSCSI Application Layer Storage Protocol • Standard device interface bus enabling block data I/O • Logically addresses blocks • Utilizes a client/server (initiator/target) architecture • Data transferred in Command Descriptor Blocks • Limitations • Length of SCSI bus limits distance over which SCSI can operate • Limited number of devices can be connected to it

  6. iSCSI Summers - SAiSCSI End-to-end protocol to enable transportation of storage I/O block data over IP networks • Maps SCSI functionality to the TCP/IP protocol • SCSI CDBs encapsulated in iSCSI Protocol Data Units • Can be implemented in software and hardware • Limitations • No built in security, relies on IPsec

  7. IPsec Summers - SAiSCSI Extension of the IP protocol that provides security to IP and upper layers of the OSI model • Encapsulating Security Protocol (ESP) – provides confidentiality and optionally authentication • Performs 3 basic steps • Header calculation and placement • Trailer calculation and placement • ESP authentication field calculation and placement • Internet Key Exchange (IKE) • Transport Mode

  8. sg3_utils Summers - SAiSCSI sg3_utils package containing low level utilities for devices using the SCSI command set Utilizes the sg interface sg_dd is a variant of the dd command – specialized for block oriented devices that use the SCSI command set sg_dd if=test.txt of=/dev/sdabpt=1 odir=1 skip=0 seek=0

  9. Review of Efficient Asymmetric Secure iSCSI Summers - SAiSCSI

  10. Efficient Asymmetric Secure iSCSI • Utilizes the sg_dd command to achieve the transfer of files between initiator and target • Dual key cryptographic enhancement to IPsec • Custom key to encrypt data • IKE generated keys to encrypt headers Summers - SAiSCSI

  11. EASI Packet Modification Summers - SAiSCSI

  12. Testing of Efficient Asymmetric Secure iSCSI Summers - SAiSCSI

  13. VMware Virtual Machine Test Bed Summers - SAiSCSI

  14. Limitations of the Existing Scheme Summers - SAiSCSI • User data must be an integer multiple of block size (1024 bytes) • Target Storage File Limitations • Only one file can be stored at a time • Pre-set size of target storage file limits the size of the user data that can be stored • sg_dd Utility Limitation • Count and block size values must be specified when issuing the sg_dd command • Reading data from the target using the cp utility results in the entire target file being retrieved • Mounting of a target storage disk is not possible with the existing implementation

  15. Motivations for Enhancements • Bring existing implementation closer to a complete and usable secure data transfer/storage system • Allow transfer of files of arbitrary size • Allow duplicate transfer of files to second target storage device • Relative complexity of existing scheme in terms of user interaction Summers - SAiSCSI

  16. Proposed Enhancements Summers - SAiSCSI

  17. Secure Asymmetric iSCSI For Online Storage Enhancements Summers - SAiSCSI • Enhancements to the sg_dd utility to: • Transfer of files of arbitrary size • Transfer to two targets • Graphical User Interface • Initiator interface • Target interface

  18. Implementation Logic for Arbitrary File Transfer Summers - SAiSCSI • Set block_size = 1024 If input_file != target_storage_device • Determine size of file in bytes • If ((size % 1024) != 0) { while((size_file_in_bytes % 1024) != 0) { size++; } } • count = size/1024 • create CDB using count value

  19. Implementation Logic for File Transfer to Two Targets Summers - SAiSCSI • Set block_size = 1024 If (second output file == TRUE) { Determine device type Determine number of blocks in second target create command descriptor block for second target } else set second output file to be /dev/null

  20. File Transfer Performance Results Summers - SAiSCSI

  21. Comparison Data for Transfer of Arbitrary Sized Files Summers - SAiSCSI

  22. Comparison Data for Transfer to Two Targets Summers - SAiSCSI

  23. User Interface Summers - SAiSCSI

  24. User Interface Summers - SAiSCSI • Developed and implemented using Python and Tkinter • Comprised of two components • Initiator Interface • Target Interface

  25. User Interface Screenshots Summers - SAiSCSI

  26. Initiator Interface Functionality Summers - SAiSCSI Generate IPsec keys Generate SAD and SPD entries Start initiator software Login/Logout to/from the target(s) Transfer user data to target storage Retrieve user data from target storage

  27. Target Interface Functionality Summers - SAiSCSI Create additional target storage file(s) Configure ietd.conf file for additional target(s) Generate SAD and SPD entries Start/stop iscsitarget software

  28. Secure Asymmetric iSCSI for Disaster Recovery Summers - SAiSCSI • HIPPA and SOX require security, privacy and accountability of data • Standard online storage techniques may not be sufficient • Secure Asymmetric iSCSI for online storage may be the solution • Secure storage of Custom key • Initiator and custom key can be duplicated • Store key with trusted third party

  29. Additional Research Summers - SAiSCSI

  30. Mounting a Target Storage Device Summers - SAiSCSI • Network Protocol Analyzer (Wireshark) Results • Discovery – only iSCSI/SCSI commands issued • Login – iSCSI/SCSI Read and PDU but PUSH flag not set • Mounting results in the issuing of iSCSI/SCSI Writes and Reads • iSCSI/SCSI Writes/Reads interpreted by EASI as file transfers • strace of mount command • kernel reads file system information which results in invocation of iSCSI/SCSI commands

  31. Using cp to transfer to a Mounted Storage Device Summers - SAiSCSI Writing to Target Various iSCSI/SCSI Writes and Data-out PDUs In addition to user payload, file and directory structure of storage device written Reading from Target Various iSCSI/SCSI Reads and Writes Plain vanilla TCP packet after first iSCSI/SCSI Read contains names of directories and files currently on target storage Unidentified data in some Data-out PDUs

  32. Lessons Learnt/Observations Summers - SAiSCSI • sg_dd uses defaults of stdin for input file and stdout for output file. • If no output is required use /dev/null • Linux kernel, open-iscsi and iscsitarget under constant development. • Therefore changes to these codes need to be incorporated in new releases. • Wireshark and Ethereal appear to interpret/display identical log files in a different manner. • Retrieving data from target using sg_dd requires count value to be specified.

  33. Future Directions Summers - SAiSCSI Modify the EASI scheme to use the most current Linux kernel version, open-iscsi and iscsitarget code. Re-implement the EASI scheme in a way that mounted target storage disk can be used. Improve the simplification of the setup and use of the implementation through the development of an API. Enhance the implementation to utilize a dynamic method, such as ‘racoon’, for establishing security associations between the initiator and target

  34. Conclusions Summers - SAiSCSI • Enhancements to the sg_dd utility has enabled: • Simulated transfer of files of arbitrary size • Transfer of files to two targets • Graphical user interface simplifies user interaction: • Keys for the encryption of the headers has been simplified • Interaction with the initiator and target software has been simplified • Writing and reading user data to /from the target has been simplified • Limitations • Arbitrary file transfer still requires user to specify a count value when reading data from target storage • True arbitrary file transfer is not achieved

  35. ADDITIONAL SLIDES Summers - SAiSCSI

  36. SCSI Command Descriptor Block Summers - SAiSCSI

  37. Phases of SCSI I/O Operation Summers - SAiSCSI 3 main phases: • Command • Initiator sends command and parameters to the target in a CDB • Data • Data is transferred in accordance with command issued in CDB • Status • Provides confirmation that command executed is received

  38. SCSI Architecture in Linux Kernel Summers - SAiSCSI

  39. General Structure of iSCSI PDU Summers - SAiSCSI

  40. iSCSI PDU Basic Header Segment Summers - SAiSCSI

  41. iSCSI Protocol Layering Model Summers - SAiSCSI

  42. Data Encapsulation Summers - SAiSCSI

  43. Open-iSCSI Summers - SAiSCSI Open source software implementation of iSCSI initiator • Kernel Portion • iSCSI data path • User Portion • Control path of iSCSI • Management facilities • Release used in EASI: open-iscsi-0.4-423 • Current Release: open-iscsi-2.0-869.2

  44. iscsitarget Summers - SAiSCSI Open source software implementation of iSCSI target • Kernel Portion • User Portion • Release used in EASI: iscsitarget-0.4.11 • Current Release: iscsitarget-0.4.16

  45. Packet for IPsec Transport Mode Summers - SAiSCSI

  46. Write Processing on the Target • Identify iSCSI traffic • Identify packets containing user data • Decrypt packets not containing user data • Process packets containing user data Summers - SAiSCSI

  47. Write Processing on the Target • Identify iSCSI traffic • Identify packets containing user data • Decrypt packets not containing user data • Process packets containing user data Summers - SAiSCSI

  48. Read Processing on the Target • Identify iSCSI traffic – source port 3260 • Determine if iSCSI packet contains user data • Encrypt packets not containing user data • Encrypt packets containing user data Summers - SAiSCSI

  49. Read Processing on the Initiator • Identify iSCSI traffic • Determine if packet contains user data • Decrypt packets containing user data • Decrypt packets not containing user data Summers - SAiSCSI

  50. Comparison of Standard IPsec and EASI at Packet Level Summers - SAiSCSI

More Related