Transfer of Files to Multiple Targets
advertisement
Secure Asymmetric iSCSI For Online Storage Sarah A. Summers Project Proposal Master of Science in Computer Science University of Colorado, Colorado Springs 4/13/2007 Master's Project Proposal 1 Introduction Explosion in data growth has given rise to need for increased storage capabilities. Increased use of online storage solutions such as iSCSI. Storage solutions must provide security, privacy and accountability in line with Government regulations (SOX and HIPAA). Standard iSCSI in combination with IPSec provides security only during transport. 4/13/2007 Master's Project Proposal 2 Goals Enhance the existing Efficient Asymmetric Secure iSCSI implementation. Produce an implementation that is more complete and user friendly. Investigate the possibilities of using the implementation for disaster recovery. 4/13/2007 Master's Project Proposal 3 Efficient Asymmetric Secure iSCSI Andukuri proposed an Efficient Asymmetric Secure iSCSI scheme to address security of data during transport and when in place on target. Dual-key asymmetric cryptographic enhancement of IPSec. Payload encrypted with custom key (not shared with target). Packet encrypted with IPSec ESP for transportation. Packet decrypted at target. Payload stored in encrypted from on target. 4/13/2007 Master's Project Proposal 4 Efficient Asymmetric Secure iSCSI Implementation En cry p t e d p a y lo a d Un e n cry p t e d p a y lo a d s cs i In itia tor Ta rg e t is cs i s cs i is cs i t cp ip En cry p t e d p a y lo a d t cp Pa y lo a d De cry p t e d h e re w it h cu s t o m k e y On ly h e a d e rs En cry p t e d h e re ip s e c ip ip s e c To is cs i in it ia t o r On ly h e a d e rs De cry p t e d h e re To is cs i t a rg e t Pa y lo a d En cry p t e d w it h cu s t o m k e y 4/13/2007 Master's Project Proposal 5 Project Proposal and Scope The current implementation is a prototype, as such improvements are possible. By examining the implementation and associated thesis, the following areas have been identified for enhancement/addition. Add Graphical User Interface for easier configuration. Enable the transfer of files of arbitrary size. Enable transfer of files to more than one target. Investigate the potential for using the implementation for disaster recovery. 4/13/2007 Master's Project Proposal 6 Test-Bed The test-bed shown below was created for the previous research, it will be utilized and added to for the current project. ISCSI Initiator IP = 128.198.61.92 Linux: 2.6.12.1 open-iscsi 0.4-434 4/13/2007 ISCSI Target IP = 128.198.61.93 Linux: 2.6.12.1 iscsitarget-0.4.11 Master's Project Proposal 7 Graphical User Interface Configuration of the current implementation is quite complex. Use of a GUI would simplify the process. Simplify key generation and storage. User interface could be used for actual file transfers in addition to system configuration. Python will be used to generate the GUIs. 4/13/2007 Master's Project Proposal 8 Example of Key Generation GUI 4/13/2007 Master's Project Proposal 9 Transfer of Files of Arbitrary Size Current implementation is limited to the transfer of files in multiples of 1024 bytes. Transfer of files of arbitrary size is essential to make the implementation truly viable. The issue to be solved is padding the files such that problems do not arise at the iSCSI layer on the target. 4/13/2007 Master's Project Proposal 10 Transfer of Files to Multiple Targets Current implementation allows transfer to one target. Ability to transfer to multiple targets is beneficial. Issues to be addressed Can the same keys be used for multiple transfers. For security would different keys be better. 4/13/2007 Master's Project Proposal 11 Potential Usage for Disaster Recovery In view of Government regulations regarding security, privacy and accountability of stored data, disaster recovery is of increased importance. For security, the current implementation does not share the key for encrypting the payload. For disaster recovery this is a problem if the initiator is destroyed. No way to decrypt the payload. Is there a way around this? 4/13/2007 Master's Project Proposal 12 Tools UltimateP2V VMWare Server To produce virtual machine images of the siscsi and starget test-bed machines for use on VMWare. Virtual machines on which to develop and test the implementation. Python 4/13/2007 For generation of the graphical user interfaces. Master's Project Proposal 13 Project Deliverables Project Proposal (this document). GUI’s for configuration of initiator and target machines. User manuals for GUIs. Completed implementation Code for transfer of files of arbitrary size Code for transfer of files to multiple targets Potential solutions for implementation of disaster recovery. Final project report and presentation 4/13/2007 Master's Project Proposal 14 Project Proposed Schedule Project Proposal Configuration GUIs Arbitrary Size File Transfer Code Transfer to Multiple Target Code Investigation into feasibility of disaster recovery Final Project Report Presentation Materials 4/13/2007 Master's Project Proposal 24 April 2007 8 May 2007 29 May 2007 11 June 2007 18 June 2007 18 June 2007 25 June 2007 15 Research Interaction of SCSI and iSCSI for transfer of files over TCP/IP. Understand how IPSec ESP is implemented and changes added in previous research. Understanding of UltimateP2V to create virtual machine images. Understanding VMWare for installation and use of virtual machines. 4/13/2007 Master's Project Proposal 16 Questions? Recommendations? 4/13/2007 Master's Project Proposal 17 References 1. Ensuring Data Integrity: Logical Data Protection for Tape Systems, http://www.crossroads.com/Library/WhitePapers/FeaturedWhitePapers.asp 2. HIPAA. Health Insurance Portability and Accountability Act 1996, http://www.legalarchiver.org/hipaa.htm 3. The Sarbanes-Oxley Act 2002, http://www.legalarchiver.ord/soa.htm 4. Andrew Hiles, Surviving a Computer Disaster, Engineering Management Journal, December 1992 5. iSCSI for Storage Networking, http://www.snia.org/tech_activities/ip_storage/iSCSI_for_Storage_Networking.pdf 6. Fibre Channel – Overview of the Technology, http://www.fibrechannel.org/technology/overview.html 7. Ulf Troppens, Rainer Erkens and Wolfgang Müller, Storage Networks Explained: Basics and Application of Fibre Channel SAN, NAS, iSCSI and InfiniBand, 2004, Wiley & Sons Ltd, ISBN: 978-0-470-86182-0 8. Jane Shurtleff, IP Storage: A Review of iSCSI, FCIP, iFCP, http://www.iscsistorage.com/ipstorage.htm 9. Murthy S. Andukuri, Efficient Asymmetric Secure iSCSI, http://cs.uccs.edu/~gsc/pub/master/msanduku/doc/report_final.doc 10. Marc Farley, Storage Networking Fundamentals: An Introduction to Storage Devices, Subsystems, Applications, Management, and File Systems, Cisco Press, 2005, ISBN 1-58705-162-1 11. Thomas C. Jepsen, Distributed Storage Networks: Architecture, Protocols and Management, 2003, Wiley & Sons Ltd, ISBN:0-470-85020-5 4/13/2007 Master's Project Proposal 18 References (continued) 12. Ulf Troppens, Rainer Erkens and Wolfgang Müller, Storage Networks Explained: Basics and Application of Fibre Channel SAN, NAS, iSCSI and InfiniBand, 2004, Wiley & Sons Ltd, ISBN: 978-0-470-86182-0 13. Yingping Lu and David H. C. Du, Performance Study of iSCSI-Based Storage Subsystems, IEEE Communications Magazine, August 2003, pp 76-82 14. John L. Hufferd, iSCSI The Universal Storage Connection, Addison Wesley, 2003, ISBN: 0-201-78419-X 15. iSCSI Technical White Paper, SNIA IP Storage Forum, http://www.snia.org/tech_activities/ip_storage/iSCSI_Technical_whitepaper.PDF 16. Integration Scenarios for iSCSI and Fibre Channel. SNIA IP Storage Forum, http://www.snia.org/tech_activities/ip_storage/iSCSI_FC_Integration_IPS.pdf 17. Shuang-Yi Tang, Ying-Pang Lu and David H. C. Du, Performance Study of Software-Based iSCSI Security, Proceedings of the First International IEEE Security in Storage Workshop (SISW ’02) 18. Friedhelm Schmidt, SCSI Bus and IDE Interface – Protocols, Applications and Programming, Addison-Wesley, 1995, ISBN: 0201422840 19. Irina Gerasimov, Alexey Zhuravlev, Mikhail Pershin and Dennis V. Gerasimov, Design and Implementation of a Block Storage Multi-Protocol Converter, Proceedings of the 20th IEEE/11th NASA Goddard Conference on Mass Storage Systems and Technologies (MSS’03) 20. A Conceptual Overview of iSCSI, http://docs.hp.com/en/6278/iSCSI_OV_whitepaper.pdf 4/13/2007 Master's Project Proposal 19 References (continued) 21. iSCSI Protocol Concepts and Implementation, http://www.cisco.com/en/US/netsol/ns340/ns394/ns224/ns378/networking_solutions_white_paper09186a0080 0a90e4.shtml 22. iSCSI Building Blocks for IP Storage Networking, http://www.snia.org/tech_activities/ip_storage/iscsi/iSCSI_Building_Blocks_01.pdf 4/13/2007 Master's Project Proposal 20 Additional Slides 4/13/2007 Master's Project Proposal 21 SCSI (Small Computer Systems Interface) Standard device interface bus for I/O providing both storing and connecting functions. Dominant storage protocol for many years. Limitations: Distance over which it can be used (several meters). Scalability (limited number of devices on a bus). 4/13/2007 Master's Project Proposal 22 Basic SCSI Architecture 4/13/2007 Master's Project Proposal 23 iSCSI End-to-end protocol to enable transportation of storage I/O block data over IP networks. Utilizing TCP an IP, iSCSI facilitates remote backup, storage and data mirroring Utilizes SCSI commands in its implementation. Can be implemented using a number of HBA’s: 4/13/2007 Software Software with TCP Off-load Silicon with TCP Off-load Master's Project Proposal 24 iSCSI Protocol Layering Model 4/13/2007 Master's Project Proposal 25
