VMware Cloud Community
HendersonD
Hot Shot
Hot Shot

iSCSI CHAP, do you use it?

One of the suggestions to increase security in our environment is to use Mutual or Bi-directional CHAP for iSCSI traffic. We have seven ESXi 6.7 Update 1 hosts, a Nimble storage array, a Nexsan storage array, and Veeam for backup and replication. We do have a separate non-routable vlan for all storage traffic. Four questions:

  1. How important is it to use CHAP? I know security is always important, just trying to gauge our level of vulnerability
  2. If we do decide to use CHAP, is it tough to setup?
  3. Is there downtime needed? Let's say we configure one host to use CHAP. I am assuming as soon as this is configured it will lose connectivity to the Nimble array until we have configured that side as well and then connectivity will be re-established. Just trying to figure out the proper order of implementing CHAP without cutting off any VMs
  4. For those who use Veeam, I am assuming I have to setup CHAP as well since Veeam does SAN based backup. Is this straight forward?
Reply
0 Kudos
4 Replies
IRIX201110141
Champion
Champion

We use Chap Mutal for a long time in our EqualLogic setups. Every ESXi Cluster have its own "Password" so when we ever add a new host to a cluster we got access to all LUNs the cluster needs to have. Same way when creating a new Volume on the storage and presenting the LUNs to the hosts... we can be sure that all hosts get access. We dont use ACLs on IQN (only in the early days) or IP based.

The vSphere Hardening Guide points that Chap BI-Directional should be used.

It depends on the customer if i suggest letting a Windows server access the ESXi Datastores directly on the SAN. The LUNs are "visible" and "ready to initialize" on the Windows Backup Server. Yes, we set "automount disable" but that only prevents the popup in the Windows Storage manager. If your "admin" clicks initialize your Datastore are start dying.

Yes, i have customer with Veeam Enterprise Plus with NetApp NFS or other supportet  "Snapshot from SAN" systems and this gives a huge benefit.

If your phys. Backup Server is CPU limited we use a Veeam Proxy (VM) on every Host (in larger environments) and using "Hot Add" rather than Backup from SAN. Same we using when also Veeam is running in a VM because the Backup from SAN is only supportet with a phys. Server (keep about FC). Yes... with InGuest iSCSI there is a ways... but we dont use it.

Regards,

Joerg

Reply
0 Kudos
HendersonD
Hot Shot
Hot Shot

After some further investigation, we have decided not to use CHAP for two reasons

  1. We have a separate non-routable vlan for storage. In order for a man in the middle attack (what CHAP prevents) a device would have to gain access to this vlan which is unlikely
  2. We have Veeam integrated with our Nimble array. Backup from storage snapshots is not supported with Veeam using CHAP
Reply
0 Kudos
cyberpaul
Enthusiast
Enthusiast

Same here. I generally use VLAN separation for iSCSI traffic. If you need further isolation within the iSCSI VLAN, it can be handled on IP bases.

CHAP should work though, I just never felt the need to use it.

Reply
0 Kudos
Deso1ator
Enthusiast
Enthusiast

I've never enabled CHAP at the couple places I used iSCSI.

Reply
0 Kudos