Iscsi Security; Insecure Scsi presented at SyScan 2005

by Himanshu Dwivedi,

Tags: Security

Summary : iSCSI is insecure. SCSI calls have traditionally been used from an IDE hard drive to the motherboard
(the grey ribbon inside your computer). iSCSI takes all the benefits of SCSI and the connectivity of
IP to provide large volumes of storage dynamically to any machine, any time, over any IP network.
While iSCSI brings a tremendous amount of connectivity benefits, it simply has ignored security. Any
protocol or product that controls large volumes of critical data should strongly support the core
principles of security, including authentication, authorization, and availability. Unfortunately iSCSI
does not support these aspects very well nor does it enable many of these principles by default.
Furthermore, vendors like Microsoft, Cisco, NetApp, and EMC are pushing iSCSI into the market, but
are failing to address the security issues that their customers will face.The iSCSI Security presentation will contain three specific sections to educate users about the
drastic security problems that are being overlooked with iSCSI storage. The presentation will include
an Introduction/Protocol Overview, a description and demonstration of iSCSI Attacks, information on the
iSCSI Defenses for each attack identified, and a short Conclusion. The presenter will described the
security weaknesses, issues, and exploits concerning authentication and authorization and will follow-up
each discussion with a demonstration of the actual attack. iSCSI attacks will show how 300 gigabytes of
data can be compromised over the IP network without a single username of password. The attack demonstration
will show how application and operating system security is important, but should not overshadow storage
devices. The demonstration will also show that a compromise of a storage device can be equal to compromising
10 to 20 applications and/or operating systems combined, both of which are accessible over the IP network.