Configuring iSCSI security
One major risk with enabling iSCSI storage is the ease at which it can be deployed and configured in an unsecure fashion. Not so long ago, the enterprise storage was primarily based on the Fibre Channel technology and used almost exclusively for any infrastructure supporting mission critical business applications. Today, iSCSI provides a cost-effective alternative to smaller businesses to implement shared storage supporting a VMware cluster, for example.
All iSCSI network traffic should always be segmented from all other network traffic on a separate subnet. In addition to segmentation, authentication between the ESXi host and the SAN or NAS is recommended to guard against man in the middle attacks. An additional layer of security in the form of authentication between the host (initiator) and the target (SAN or NAS) known as Challenge Handshake Authentication Protocol (CHAP) is recommended.
Getting ready
In order to proceed, we require access to vSphere Web Client...
