One of the suggestions to increase security in our environment is to use Mutual or Bi-directional CHAP for iSCSI traffic. We have seven ESXi 6.7 Update 1 hosts, a Nimble storage array, a Nexsan storage array, and Veeam for backup and replication. We do have a separate non-routable vlan for all storage traffic. Four questions:
We use Chap Mutal for a long time in our EqualLogic setups. Every ESXi Cluster have its own "Password" so when we ever add a new host to a cluster we got access to all LUNs the cluster needs to have. Same way when creating a new Volume on the storage and presenting the LUNs to the hosts... we can be sure that all hosts get access. We dont use ACLs on IQN (only in the early days) or IP based.
The vSphere Hardening Guide points that Chap BI-Directional should be used.
It depends on the customer if i suggest letting a Windows server access the ESXi Datastores directly on the SAN. The LUNs are "visible" and "ready to initialize" on the Windows Backup Server. Yes, we set "automount disable" but that only prevents the popup in the Windows Storage manager. If your "admin" clicks initialize your Datastore are start dying.
Yes, i have customer with Veeam Enterprise Plus with NetApp NFS or other supportet "Snapshot from SAN" systems and this gives a huge benefit.
If your phys. Backup Server is CPU limited we use a Veeam Proxy (VM) on every Host (in larger environments) and using "Hot Add" rather than Backup from SAN. Same we using when also Veeam is running in a VM because the Backup from SAN is only supportet with a phys. Server (keep about FC). Yes... with InGuest iSCSI there is a ways... but we dont use it.
Regards,
Joerg
After some further investigation, we have decided not to use CHAP for two reasons
Same here. I generally use VLAN separation for iSCSI traffic. If you need further isolation within the iSCSI VLAN, it can be handled on IP bases.
CHAP should work though, I just never felt the need to use it.
I've never enabled CHAP at the couple places I used iSCSI.