What is ISCSI Storage and how do I get it?
iSCSI is an acronym for Internet Small Computer Systems Interface, an Internet Protocol-based storage networking standard for linking data storage facilities.It gives block-level access to storage devices by carrying SCSI commands.Data transfers over intranets and storage over long distances are possible with the use of iSCSI.It can be used to transmit data over local area networks, Wide Area Networks, or the Internet, and can enable location-independent data storage and retrieval.
The protocol allows clients to send commands to storage devices.It is a storage area network protocol that allows organizations to consolidate storage into storage array while providing clients with the illusion of locally attached SCSI disks.Unlike traditional Fibre Channel which usually requires dedicated cabling, iSCSI can be run over long distances using existing network infrastructure.The iSCSI standard was submitted as a draft standard in 2000.[4]
iSCSI allows two hosts to communicate with each other using Internet Protocol networks.iSCSI takes a popular local storage bus and emulates it over a wide range of networks, creating a storage area network.iSCSI requires no dedicated cabling and can be run over existing infrastructure.As a result, iSCSI is often seen as a low-cost alternative to Fibre Channel, which requires dedicated infrastructure.Competition for a fixed amount of bandwidth can cause the performance of an iSCSI SAN deployment to be degraded if not operated on a dedicated network.
System administrators almost always use it to allow their server to access disk volumes on storage array if they choose to do so.There are two objectives for iSCSI SANs.
An initiator is a client.The same purpose is served by a computer as a SCSI bus adapter would be, but instead of physically connecting SCSI devices to the computer, an iSCSI initiator sends SCSI commands over the internet.An initiator can fall into two broad types.
Code is used to implement iSCSI.Typically, this happens in a device driver that uses the existing network card and network stack to emulate SCSI devices for a computer.Most popular operating systems have software that can be used to deploy iSCSI.
Dedicated hardware is used to implement iSCSI.It is possible to improve the performance of server that use iSCSI by using a hardware initiator.A hardware initiator is implemented by an iSCSI host bus adapter.A typical HBA is a combination of a network interface controller, a TOE technology and a bus, which is how it appears to the operating system.It is possible to boot from an iSCSI SAN with the inclusion of aPCI option rom.
An iSOE card is an alternative to a full iSCSI HBA.An iSOE "offloads" the iSCSI operations for this particular network interface from the host processor, freeing upCPU cycles for the main host applications.When the additional performance enhancement is justified, an iSOEs is used instead of using a software-based iSCSI client.iSOE can be implemented with additional services to further reduce host server usage.
The iSCSI specification refers to a storage resource located on an iSCSI server as a target.
An iSCSI target is often a dedicated network-connected hard disk storage device, but may also be a general-purpose computer, since as with initiators, software to provide an iSCSI Target is available for most mainstream operating systems.
An iSCSI target can be found in a large storage array.These array can be in the form of commodity hardware with free-software-based iSCSI implementations, or as commercial products such as in Quantastor, Cloud Byte, StorTrends, Pure Storage, HP StorageWorks, EqualLogic, Tegile Systems, Nimble storage, Reduxio,
Most modern server operating systems can provide iSCSI target function, either as a built-in feature or with supplemental software.Some operating systems have target support.
LU stands for logical unit, which is specified by a unique number.A LUN is a device that is part of a physical device.LUNs are numbered disk drives.The result is an iSCSI connection that emulates a connection to a hard disk.Initiators treat iSCSI LUNs the same way as they would a raw SCSI or IDE hard drive, instead of mounting remote directories and directly managing filesystems.
In enterprise deployment, LUNs represent subsets of large RAID disk array, often allocated one per client.iSCSI leaves shared access to a single underlying filesystem as a task for the operating system and imposes no rules or restrictions on multiple computers sharing individual LUNs.
For general data storage on an already-booted computer, any type of generic network interface may be used.A generic network interface is not able to boot a diskless computer from a remote source.It is commonplace for a server to load its initial operating system from a TFTP server or local boot device, and then use iSCSI for data storage once the local device has finished.
A separate DHCP server may be configured to help the interface with network boot capability.A PXE or bootp boot image is what the network interface looks for.The boot network interface's MAC address is used to kick off the iSCSI remote boot process.One can use a software-only approach to load a small boot program which can in turn mount a remote iSCSI target and then fire the boot process from it.An existing Preboot Execution Environment (PXE) boot ROM can be used to achieve this.The boot code can be loaded from a variety of sources, including CD/DVD, floppy disk, andusb storage.iPXE is the most popular free software to offer boot support.[8]
Higher-level names are used to address objects within the protocol when it is used by iSCSI.Special names refer to targets.Three name-formats are provided by iSCSI.
Most of the time, IQN format addresses occur.They are qualified by the date when the domain name can be acquired by another entity.
The EUI is provided by the registration authority.The OUI is a part of the NAA.The name formats were added to give compatibility with naming conventions used in Fibre Channel and SAS storage technologies.
The Internet Storage Name Service (iSNS) protocol can be used to locate appropriate storage resources.In theory, iSNS provides the same management model as dedicated Fibre Channel SANs.Administrators can satisfy many deployment goals without using iSNS.
There is a mechanism to prevent cleartext passwords from appearing on the wire.CHAP is vulnerable to dictionary attacks.The best practices for using CHAP within iSCSI reduce the surface for these attacks and mitigate the risks.[2]
The network layer is where allip-based protocols operate.Interoperability issues limit the deployment of other authentication schemes, though the iSCSI negotiation protocol is designed to accommodate them.
In order to ensure that only valid initiators connect to storage array, administrators most commonly run iSCSI only over logically isolated back channel networks.Only the management ports of storage array are exposed to the general-purpose internal network in this deployment architecture.Unauthorized users can't talk to storage array because they're not physically provisioned for it.A single compromised host with an iSCSI disk can be used to attack storage resources for other hosts.
iSCSI can be isolated from the general network using VLANs only, but it is still no different from any other network equipment and may use any cable or port as long as there is a completed signal path between source and target.A single cabling mistake by a network technician can compromise the barrier of logical separation, and an accidental bridge can not be immediately detected because it does not cause network errors.
In order to further differentiate iSCSI from the regular network and prevent cabling mistakes when changing connections, administrators may implement self-defined color-coding and labeling standards, such as only using yellow-colored cables for the iSCSI connections.
The administrator may choose to use physically separate switches dedicated to iSCSI only, to further prevent the possibility of an incorrectly connected cable plugged into the wrong, if they decide to implement iSCSI as just a VLAN cluster of ports on a large multi-port switch.
The goal of iSCSI is to consolidate storage for many server into a single storage array.A single enterprise storage array can hold data that is regulated by the Sarbanes–Oxley Act for corporate accounting, the Health Insurance Portability and Accountability Act, and the Payment Card Industry Data Security Standards.Storage systems have to demonstrate that they can't access the storage assets of a server under another.
Typically, an iSCSI storage array will map the initiators to specific target LUNs, but not the storage asset it intends to use.Because the target LUNs for SCSI commands are expressed in both the iSCSI negotiation protocol and the underlying SCSI protocol, care must be taken to ensure that access control is provided consistently.
iSCSI is a cleartext protocol that does not provide any protection for data in motion during transactions.An attacker who can listen in on traffic on the internet can.
The problems do not occur only with iSCSI, but also with any SAN protocol.This traffic can be protected with standards-based security protocols.