250 likes | 482 Vues
Secure Asymmetric iSCSI For Online Storage. Sarah A. Summers Project Proposal Master of Science in Computer Science University of Colorado, Colorado Springs. Introduction. Explosion in data growth has given rise to need for increased storage capabilities.
E N D
Secure Asymmetric iSCSI For Online Storage Sarah A. Summers Project Proposal Master of Science in Computer Science University of Colorado, Colorado Springs Master's Project Proposal
Introduction • Explosion in data growth has given rise to need for increased storage capabilities. • Increased use of online storage solutions such as iSCSI. • Storage solutions must provide security, privacy and accountability in line with Government regulations (SOX and HIPAA). • Standard iSCSI in combination with IPSec provides security only during transport. Master's Project Proposal
Goals • Enhance the existing Efficient Asymmetric Secure iSCSI implementation. • Produce an implementation that is more complete and user friendly. • Investigate the possibilities of using the implementation for disaster recovery. Master's Project Proposal
Efficient Asymmetric Secure iSCSI Andukuri proposed an Efficient Asymmetric Secure iSCSI scheme to address security of data during transport and when in place on target. • Dual-key asymmetric cryptographic enhancement of IPSec. • Payload encrypted with custom key (not shared with target). • Packet encrypted with IPSec ESP for transportation. • Packet decrypted at target. • Payload stored in encrypted from on target. Master's Project Proposal
Efficient Asymmetric Secure iSCSI Implementation Master's Project Proposal
Project Proposal and Scope The current implementation is a prototype, as such improvements are possible. By examining the implementation and associated thesis, the following areas have been identified for enhancement/addition. • Add Graphical User Interface for easier configuration. • Enable the transfer of files of arbitrary size. • Enable transfer of files to more than one target. • Investigate the potential for using the implementation for disaster recovery. Master's Project Proposal
Test-Bed The test-bed shown below was created for the previous research, it will be utilized and added to for the current project. ISCSI Initiator ISCSI Target IP = 128.198.61.92 IP = 128.198.61.93 Linux: 2.6.12.1 Linux: 2.6.12.1 open-iscsi 0.4-434 iscsitarget-0.4.11 Master's Project Proposal
Graphical User Interface • Configuration of the current implementation is quite complex. • Use of a GUI would simplify the process. • Simplify key generation and storage. • User interface could be used for actual file transfers in addition to system configuration. • Python will be used to generate the GUIs. Master's Project Proposal
Example of Key Generation GUI Master's Project Proposal
Transfer of Files of Arbitrary Size • Current implementation is limited to the transfer of files in multiples of 1024 bytes. • Transfer of files of arbitrary size is essential to make the implementation truly viable. • The issue to be solved is padding the files such that problems do not arise at the iSCSI layer on the target. Master's Project Proposal
Transfer of Files to Multiple Targets • Current implementation allows transfer to one target. • Ability to transfer to multiple targets is beneficial. • Issues to be addressed • Can the same keys be used for multiple transfers. • For security would different keys be better. Master's Project Proposal
Potential Usage for Disaster Recovery In view of Government regulations regarding security, privacy and accountability of stored data, disaster recovery is of increased importance. • For security, the current implementation does not share the key for encrypting the payload. • For disaster recovery this is a problem if the initiator is destroyed. • No way to decrypt the payload. • Is there a way around this? Master's Project Proposal
Tools • UltimateP2V • To produce virtual machine images of the siscsi and starget test-bed machines for use on VMWare. • VMWare Server • Virtual machines on which to develop and test the implementation. • Python • For generation of the graphical user interfaces. Master's Project Proposal
Project Deliverables • Project Proposal (this document). • GUI’s for configuration of initiator and target machines. • User manuals for GUIs. • Completed implementation • Code for transfer of files of arbitrary size • Code for transfer of files to multiple targets • Potential solutions for implementation of disaster recovery. • Final project report and presentation Master's Project Proposal
Project Proposed Schedule • Project Proposal 24 April 2007 • Configuration GUIs 8 May 2007 • Arbitrary Size File Transfer Code 29 May 2007 • Transfer to Multiple Target Code 11 June 2007 • Investigation into feasibility of disaster recovery 18 June 2007 • Final Project Report 18 June 2007 • Presentation Materials 25 June 2007 Master's Project Proposal
Research • Interaction of SCSI and iSCSI for transfer of files over TCP/IP. • Understand how IPSec ESP is implemented and changes added in previous research. • Understanding of UltimateP2V to create virtual machine images. • Understanding VMWare for installation and use of virtual machines. Master's Project Proposal
Questions?Recommendations? Master's Project Proposal
References • Ensuring Data Integrity: Logical Data Protection for Tape Systems, http://www.crossroads.com/Library/WhitePapers/FeaturedWhitePapers.asp • HIPAA. Health Insurance Portability and Accountability Act 1996, http://www.legalarchiver.org/hipaa.htm • The Sarbanes-Oxley Act 2002, http://www.legalarchiver.ord/soa.htm • Andrew Hiles, Surviving a Computer Disaster, Engineering Management Journal, December 1992 • iSCSI for Storage Networking, http://www.snia.org/tech_activities/ip_storage/iSCSI_for_Storage_Networking.pdf • Fibre Channel – Overview of the Technology, http://www.fibrechannel.org/technology/overview.html • Ulf Troppens, Rainer Erkens and Wolfgang Müller, Storage Networks Explained: Basics and Application of Fibre Channel SAN, NAS, iSCSI and InfiniBand, 2004, Wiley & Sons Ltd, ISBN: 978-0-470-86182-0 • Jane Shurtleff, IP Storage: A Review of iSCSI, FCIP, iFCP, http://www.iscsistorage.com/ipstorage.htm • Murthy S. Andukuri, Efficient Asymmetric Secure iSCSI, http://cs.uccs.edu/~gsc/pub/master/msanduku/doc/report_final.doc • Marc Farley, Storage Networking Fundamentals: An Introduction to Storage Devices, Subsystems, Applications, Management, and File Systems, Cisco Press, 2005, ISBN 1-58705-162-1 • Thomas C. Jepsen, Distributed Storage Networks: Architecture, Protocols and Management, 2003, Wiley & Sons Ltd, ISBN:0-470-85020-5 Master's Project Proposal
References (continued) • Ulf Troppens, Rainer Erkens and Wolfgang Müller, Storage Networks Explained: Basics and Application of Fibre Channel SAN, NAS, iSCSI and InfiniBand, 2004, Wiley & Sons Ltd, ISBN: 978-0-470-86182-0 • Yingping Lu and David H. C. Du, Performance Study of iSCSI-Based Storage Subsystems, IEEE Communications Magazine, August 2003, pp 76-82 • John L. Hufferd, iSCSI The Universal Storage Connection, Addison Wesley, 2003, ISBN: 0-201-78419-X • iSCSI Technical White Paper, SNIA IP Storage Forum, http://www.snia.org/tech_activities/ip_storage/iSCSI_Technical_whitepaper.PDF • Integration Scenarios for iSCSI and Fibre Channel. SNIA IP Storage Forum, http://www.snia.org/tech_activities/ip_storage/iSCSI_FC_Integration_IPS.pdf • Shuang-Yi Tang, Ying-Pang Lu and David H. C. Du, Performance Study of Software-Based iSCSI Security, Proceedings of the First International IEEE Security in Storage Workshop (SISW ’02) • Friedhelm Schmidt, SCSI Bus and IDE Interface – Protocols, Applications and Programming, Addison-Wesley, 1995, ISBN: 0201422840 • Irina Gerasimov, Alexey Zhuravlev, Mikhail Pershin and Dennis V. Gerasimov, Design and Implementation of a Block Storage Multi-Protocol Converter, Proceedings of the 20th IEEE/11th NASA Goddard Conference on Mass Storage Systems and Technologies (MSS’03) • A Conceptual Overview of iSCSI, http://docs.hp.com/en/6278/iSCSI_OV_whitepaper.pdf Master's Project Proposal
References (continued) • iSCSI Protocol Concepts and Implementation, http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns378/networking_solutions_white_paper09186a00800a90e4.shtml • iSCSI Building Blocks for IP Storage Networking, http://www.snia.org/tech_activities/ip_storage/iscsi/iSCSI_Building_Blocks_01.pdf Master's Project Proposal
Additional Slides Master's Project Proposal
SCSI (Small Computer Systems Interface) • Standard device interface bus for I/O providing both storing and connecting functions. • Dominant storage protocol for many years. • Limitations: • Distance over which it can be used (several meters). • Scalability (limited number of devices on a bus). Master's Project Proposal
Basic SCSI Architecture Master's Project Proposal
iSCSI • End-to-end protocol to enable transportation of storage I/O block data over IP networks. • Utilizing TCP an IP, iSCSI facilitates remote backup, storage and data mirroring • Utilizes SCSI commands in its implementation. • Can be implemented using a number of HBA’s: • Software • Software with TCP Off-load • Silicon with TCP Off-load Master's Project Proposal
iSCSI Protocol Layering Model Master's Project Proposal