You need to implement the highest security available for communications to and from the iSCSI SAN

Your company has a single Active Directory domain. All servers run Windows Server 2008 R2. You
install an iSCSI storage area network (SAN) for a group of file servers. Corporate security policy
requires that all data communication to and from the iSCSI SAN must be as secure as possible. You
need to implement the highest security available for communications to and from the iSCSI SAN.
What should you do?

Your company has a single Active Directory domain. All servers run Windows Server 2008 R2. You
install an iSCSI storage area network (SAN) for a group of file servers. Corporate security policy
requires that all data communication to and from the iSCSI SAN must be as secure as possible. You
need to implement the highest security available for communications to and from the iSCSI SAN.
What should you do?

A.
Create a Group Policy object (GPO) to enable the System objects: Strengthen default permission
of internal systems objects setting.

B.
Create a Group Policy object (GPO) to enable the System cryptography: Use FIPS compliant
algorithms for encryption, hashing, and signing setting.

C.
Implement IPsec security in the iSCSI Initiator Properties. Set up inbound and outbound rules by
using Windows Firewall.

D.
Implement mutual Microsoft Challenge Handshake Authentication Protocol (MS- CHAPv2)
authentication in the iSCSI Initiator Properties. Set up inbound and outbound rules by using
Windows Firewall.

Explanation:
Security
Microsoft iSCSI Initiator supports using and configuring Challenge Handshake Authentication
Protocol (CHAP) and Internet Protocol security (IPsec). All supported iSCSI HBAs also support CHAP;
however, some may not support IPsec. Ipsec IPsec is a protocol that provides authentication and
data encryption at the IP packet layer. The Internet Key Exchange (IKE) protocol is used between
peers to allow the peers to authenticate each other and negotiate the packet encryption and
authentication mechanisms to be used for the connection. Because Microsoft iSCSI Initiator uses the
Windows TCP/IP stack, it can use all of the functionality that is available in the Windows TCP/IP
stack. For authentication, this includes preshared keys, Kerberos protocol, and certificates. Active
Directory is used to distribute the IPsec filters to computers running Microsoft iSCSI Initiator. 3DES
and HMAC-SHA1 are supported, in addition to tunnel and transport modes. Because iSCSI HBA has a
TCP/IP stack embedded in the adapter, the iSCSI HBA can implement IPsec and IKE, so the
functionality that is available on the iSCSI HBA may vary. At a minimum, it supports preshared keys
and 3DES and HMAC-SHA1. Microsoft iSCSI Initiator has a common API that is used to configure
IPsec for Microsoft iSCSI Initiator and iSCSI HBA. Easier Firewall configuration for Windows Server
2008 R2 and Windows 7 Allowing the use of an Internet Storage Name Service (iSNS) server through
the firewall is possible directly from the iSCSICLI command-line utility. However, you can still controll
it through the Windows Firewall with Advanced Security, if desired. To enable iSNS traffic for use
with Microsoft iSCSI Initiator Use the following command to enable iSNS traffic through the firewall.
This allows you to use an iSNS server with the local Microsoft iSCSI Initiator:
iscsicli FirewallExemptiSNSServer
Source: http://technet.microsoft.com/en-us/library/ee338480.aspx



Leave a Reply 0

Your email address will not be published. Required fields are marked *