VMware

This Question is Answered

1 2 Previous Next 29 Replies Last post: Dec 4, 2008 6:58 AM by whuber97  

How important is iSCSI switch isolation? posted: Apr 5, 2008 5:43 AM

Click to view mattjk's profile Enthusiast
mattjk
80 posts since
Dec 19, 2007

Hi all,

How important is switch isolation when using iSCSI with ESX (i.e., having dedicated switches for iSCSI traffic), as opposed to sharing switches (iSCSI & regular network on the same switches) and using VLANs to segregate traffic? Is the general recommendation that iSCSI switch isolation is a good idea due to security, or performance, or what?

We are looking at a NetApp FAS20x0 to use with our ESX deployment, and want to take advantage of it's NFS features (e.g. users directly accessing older snapshots of data on RDMs) and IP-based replication.

To use these features the NetApp unit would have to be physically connected to the main LAN. We can achieve this by connecting the LAN and iSCSI switches together, but this seems a bit silly if the main purpose of iSCSI switch isolation is physical security.

So, I'm wondering if switch isolation for iSCSI is really necessary - using the same switches for LAN & iSCSI (with VLANs) would be simpler, and saves us the cost of two dedicated switches for iSCSI.

Thoughts? Answers? Opinions?

Thanks in advance.


Re: How important is iSCSI switch isolation?

1. Apr 5, 2008 6:03 AM in response to: mattjk
Click to view kukacz's profile Hot Shot
kukacz
88 posts since
May 20, 2007

In my opinion there is no reason to physically separate switches for iSCSI traffic. It's costly, it's not too flexible.

You should separate the LAN and iSCSI traffic using VLANs to be safe. As long as you use enterprise-class switches you can stay calm with the performance and feature requirements.

--
Lukas Kubin

Re: How important is iSCSI switch isolation?

2. Apr 5, 2008 7:50 AM in response to: kukacz
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

Whether to Isolate iSCSI is really a security call and not a performance or redundancy issue. Please remember that for VI3/ESX iSCSI requires the participation of the SC, so isolation is limited anyways. If the SC (Administration Network) must participate in the iSCSI Network then the most secure method is to use a firewall to allow CHAP and protect the iSCSI network from the SC.

You do however want to isolate your Storage Network from VMs and other systems that are not using it. The reasons for this are two fold. 1 is to limit cross chatter caused by broadcasts sent out by some Microsoft Windows installations (They are noisy) and the other is to limit access from a Security point of view. Most iSCSI implementations use CHAP for Authentication (which is encrypted) and this is what the SC must be able to do, whether you use CHAP or not. BUT the non-authentication traffic is not encrypted. That part of the iSCSI Spec is not implemented by many vendors, so it is a clear text protocol and there are several whitepapers out there that discuss how to intercept this traffic using pretty standard MiTM attacks.

Given that NFS, and iSCSI are generally clear text, this is why you want isolation. You would not want a hacker (internal or external) to get a hold of credentials, critical data or anything else.

Also NOTE, that VLANs only protect you so far. There are a number of VLAN Jumping (encapsulation) attacks that work against most physical switches. Granted Cisco and the other switch vendors are working to close these gaps, they can not be fully closed til IPV6 w/IPSec is widely in use within the datacenter. Also, VLAN attacks are a hot subject of research in the black hat world.

It all boils down to three things.... Your Written Security Policy, The Levels of Trust within your company, and any Organization, Federal ,or State Guidelines that must be met for your line of work... I.E. SOX/Hippa/PCI, etc....


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Re: How important is iSCSI switch isolation?

3. Apr 7, 2008 7:03 AM in response to: Texiwill
Click to view jeremypage's profile Hot Shot
jeremypage
181 posts since
Mar 4, 2005
Note:It can become a performance issue if the switches' backplanes get overloaded. With most new boxes that's not going to be an issue, but if you have older hardware it would be a good idea to see what their total IO is.

Re: How important is iSCSI switch isolation?

4. Apr 7, 2008 8:08 AM in response to: mattjk
Click to view pdrace's profile Expert
pdrace
566 posts since
Dec 2, 2004

My servers are on physically seperate switches mostly for security reasons as Texiwill has explained. I'm using 2 HP switches with switch meshing enabled and it's worked well.

We also do this with our Oracle NFS mounts on Netapp.

Re: How important is iSCSI switch isolation?

5. Apr 11, 2008 7:09 PM in response to: mattjk
Click to view mattjk's profile Enthusiast
mattjk
80 posts since
Dec 19, 2007

Thanks for the info guys - sorry to ask a question and then just disappear for a week, it's been a hectic one :-(

Doesn't sound like there's a definitive answer (other than use good switches and VLANs at the very least).

I guess we're just going to have to consider the pros and cons and make a call on it - we're a fairly small company so we don't have any formal security policies to guide us, and we're not covered by any particular legislative requirements either.

The main benefit for us not physically seperating iSCSI traffic is that we'll be able to afford slightly better switches. For example, rather than getting 4 x ProCurve 2810-24G's for iSCSI & our new network "core", we could get 2 x ProCurve 2848's or 2 x Catalyst 2960G-48TC-L's instead.

Does anyone have an opinion on whether the better switches is likely to be of bigger benefit than physically seperating iSCSI?

Thanks.

Re: How important is iSCSI switch isolation?

6. Apr 11, 2008 7:18 PM in response to: mattjk
Click to view mike.laspina's profile Virtuoso
mike.laspina
2,270 posts since
May 26, 2006

Hi,

The separation of iSCSI is very important I did a short blog on it if your interested.

http://blog.laspina.ca/roller/Ubiquitous/entry/iscsi_security_basics


Re: How important is iSCSI switch isolation?

7. Apr 12, 2008 10:31 AM in response to: mike.laspina
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

Mike is correct, there is a definite response. Separation should be required as iSCSI non-CHAP traffic is clear text.... A VM for example should not be able to access a VMFS iSCSI target.


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Re: How important is iSCSI switch isolation?

8. Apr 12, 2008 3:15 PM in response to: Texiwill
Click to view kukacz's profile Hot Shot
kukacz
88 posts since
May 20, 2007
Texiwill, I don't understand why you stricly force people in this forum to use physical switch separation for iSCSI traffic.

Sure, iSCSI is a clear-text protocol. But, 1) switch is not a hub, there are only 2 ports involved in each iSCSI frame's path, 2) VLANs allow for another kind of traffic separation, 3) there might be lots of unsafe protocols on the LAN side of ESX envirnonment too, so securing the iSCSI only would have no effect on overall security.


Of course, there are attacks. To break shared-switch security and make some benefit of stealing iSCSI frames, the attacker would have to put on a great effort. Also, there are sorts of attack which even physical switch separation would not prevent.


The "never say never" rule applies (not so) surprisingly often and I don't agree physical switch separaration is a must for any iSCSI installation. It's always on the system architect to decide between various factors and to what scale they apply.


--
Lukas Kubin

Re: How important is iSCSI switch isolation?

9. Apr 12, 2008 3:11 PM in response to: kukacz
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

There are a number of existing attacks that would jeopardize your iSCSI/NFS/Administrative physical switch configurations. Unfortunately, this will continue until IPV6 w/IPSec is implemented within the datacenter. I do not see that happening any time soon, but the poster stated there was no clear cut statement that it should be isolated. I think there is a clear cut statement that it should be. I treat iSCSI/NFS just like I would SAN and keep everything separate.

However, whether or not it should be or should not be depends quite a bit on your Security Policy, security requirements (which should be in the security Policy), regulatory requirements, and your levels of Trust within an organization.

You are correct, it would take quite a bit to sniff iSCSI traffic on most networks. However, I know plenty of disgruntled employees and hackers that will go to great and even convoluted lengths to either hack a system, or access data they have no right to access. Bastion hosts will hopefully protect the inside from the outside and further bastions prevent Pivot attacks, but it is really the inside that is the greatest cause for security concern. 70% of all attacks come from the inside.

But once more this truly depends on your levels of Trust, your Security Policy, and any other required levels of Security either regulatory, or dictated. As you state the system Architect should talk to Security and design with this in mind. Not every industry requires this level of Security. Nor can everybody afford it...


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Re: How important is iSCSI switch isolation?

10. Apr 12, 2008 10:28 PM in response to: kukacz
Click to view mike.laspina's profile Virtuoso
mike.laspina
2,270 posts since
May 26, 2006
Hi,

Security is not only about someone hacking into the switch. For example this real world example really happened.

Lets say you need to upgrade your switch firmware to support a specific STP protocol and your iSCSI network shares the same hardware.

Unfortunately you discover that this firmware has issues that destabilized the iSCSI network and drops some servers.

This is just one of many possible issues.

Now consider that you are running 10 Vmware hosts on this environment.

This is an uneccessary risk that does not need to happen.

The cost of this event was over $100,000. The cost of two switches ~$8,000.

The value of separating the iSCSI switch environment sometimes has to be experienced, then it is truly understood and appreciated.

Hopefully you will not have to find out the hard way.

Re: How important is iSCSI switch isolation?

11. Apr 12, 2008 4:53 PM in response to: mike.laspina
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello

Mike may I use this as an example, with appropriate credit, in some works I am writing? This is a very good case for separation and a way to protect from unknown but very possible disasters and impacts on business continuity. Security is not always about protecting from the wily hacker, but protecting against any type of failure. For those who think BC/DR is separate from Security, they should look at the Common Body of Knowledge required to pass the CISSP certification.


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Re: How important is iSCSI switch isolation?

12. Apr 12, 2008 10:32 PM in response to: Texiwill
Click to view mike.laspina's profile Virtuoso
mike.laspina
2,270 posts since
May 26, 2006

You are welcome to use it.

Re: How important is iSCSI switch isolation?

13. Apr 14, 2008 12:01 AM in response to: mike.laspina
Click to view kukacz's profile Hot Shot
kukacz
88 posts since
May 20, 2007
Mike, your example doesn't fit well into this thread. You wrote a case about switch - storage paths - redundancy while we are discussing iSCSI and LAN switch separation.

In my opinion (also accepting some of the arguments written in posts above) there is a scale of levels of security and business continuity for everyone to choose from. Applied to number of switches used, this scale should probably look like the following (sorted from insecure to more secure):

  1. Single switch for both LAN and iSCSI traffic. Single point of failure for all traffic; vulnerable to switch attacks.
  2. Two switches for separated traffic. Single point of failure for both sorts of traffic; less vulnerable to switch attacks.
  3. Two switches for mixed traffic. Redundant paths - no single point of failure for all traffic; vulnerable to switch attacks.
  4. Four switches for separated traffic. Redundant paths - no single point of failure for all traffic; less vulnerable to switch attacks.
--

Lukas Kubin

Re: How important is iSCSI switch isolation?

14. Apr 13, 2008 8:07 PM in response to: kukacz
Click to view mike.laspina's profile Virtuoso
mike.laspina
2,270 posts since
May 26, 2006

The original Q.

How important is switch isolation when using iSCSI with ESX (i.e., having dedicated switches for iSCSI traffic), as opposed to sharing switches (iSCSI & regular network on the same switches)

My opinion.

The separation of iSCSI is very important.

Your opinion.

In my opinion there is no reason to physically separate switches for iSCSI traffic.

Enough said as far as I am concerned.

You have your view and I have mine.

1 2 Previous Next Go to original post

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities