Research And Implementation Of ISCSI-based IP SAN Security Mechanism

With the rapid speed of storage capability expansion in many enterprises, the throughput and management pattern of traditional direct attached storage can not meet the business need. Storage Area Networks (SAN), with their ability to offer high performance and scalability for data access, are a promising solution for the needs in storage bandwidth, capability, and management. iSCSI-based IP Storage Area Networks (IP SAN) which enable the transport of I/O data blocks over IP networks is becoming a main technology to construct SAN for its low cost, convenience and openness. However, since they rely on TCP/IP networks for data transmission, all the associated problems with these kinds of networks are inherited by the iSCSI protocol. A major design challenge for IP SANs is to provide data integrity and confidentiality while data is transmitted through untrusty networks and stored in untrusty devices.This thesis proposes an iSCSI-based IP SAN virtual encryption volume model which addresses these security problems. Encryption and decryption operation is embeded in the iSCSI-layer at initiator. Physical storage devices are mapped into virtual encryption volumes at target. This model can provide data encryption both in transmission and at rest.The model is composed of initiator and target. At the initiator, a security module is inserted into the iSCSI layer, which implements data encryption/decryption and HMAC computation/verification. A key lockbox mechanism is introduced to ensure that data is shared securely and secret key is stored with encryption. The target only performs access control and the virtualization of mapping the encryption volumes into physical disks without paying the cost of encryption whenever an I/O command is delivered. At the same time, an additional header segment mechanism in iSCSI protocol is explored to extend iSCSI PDU format. Through this mechanism, the model defines the message exchange process as well as state transition of accessing application data and security attributes of encryption volume, through which data confidentiality and integrity is guaranteed.A prototype of virtual encryption volume model integrated with Linux SCSI subsystem is implemented. The security analysis and performance test shows that this security mechanism degrades the throughput of storage access slightly and has a better performance in comparison with IPSec mechanism.