iSCSI on XCP-ng - Security Best Practices

Linux

Audience
Public
Product
FlashBlade
FlashArray
Technology Integrations
Linux
Source Type
Documentation

Network Security

Dedicated Storage Network

Why use dedicated storage networks:

  • Isolation: Storage traffic cannot be intercepted from management/VM networks

  • Performance: No bandwidth competition with other traffic

  • Simplicity: Easier troubleshooting and monitoring

Implementation:

  • Use separate physical NICs or VLANs for storage traffic

  • Isolate at switch level (separate VLANs, ACLs)

  • Consider separate physical switches for maximum isolation

Firewall Configuration

Warning:

Recommended: Disable host-based firewall on dedicated storage interfaces. Network isolation (VLANs, dedicated switches) provides security at the infrastructure layer where it belongs.

Why disable filtering on storage interfaces:

  • CPU overhead: Firewall packet inspection adds latency and consumes CPU cycles

  • Performance impact: At high IOPS, filtering overhead becomes significant

  • Network isolation: Dedicated storage VLANs provide security at the network layer

  • Simplicity: No port rules to maintain for storage traffic

If filtering is required (e.g., shared network):

# Allow only iSCSI traffic on storage interfaces
iptables -A INPUT -i ens1f0 -p tcp --dport 3260 -j ACCEPT  # iSCSI
iptables -A INPUT -i ens1f0 -j DROP  # Drop all other traffic

Required Ports (if using port filtering):

  • iSCSI: Port 3260

Access Control

Storage Array Configuration:

  • Register only authorized host identifiers

  • iSCSI: Initiator IQN

  • FC: WWPN

  • Map volumes only to specific hosts

  • Use host groups for clustered environments

Verify host identifier:

# iSCSI: Check initiator IQN
cat /etc/iscsi/initiatorname.iscsi
# Example: InitiatorName=iqn.2004-10.com.ubuntu:01:abc123def456

Authentication

CHAP Authentication (iSCSI)

Why use CHAP:

  • Prevents unauthorized initiators from connecting

  • Provides mutual authentication (bidirectional CHAP)

  • Required in some compliance frameworks

Configure CHAP:

# Edit /etc/iscsi/iscsid.conf
node.session.auth.authmethod = CHAP
node.session.auth.username = <initiator_username>
node.session.auth.password = <initiator_password>

# For mutual (bidirectional) CHAP:
node.session.auth.username_in = <target_username>
node.session.auth.password_in = <target_password>

CHAP best practices:

  • Use unique credentials per initiator

  • Rotate passwords periodically

  • Store credentials securely

  • Use bidirectional CHAP for maximum security

iSCSI Header Digest

Enable header and data digests for integrity:

# Edit /etc/iscsi/iscsid.conf
node.conn[0].iscsi.HeaderDigest = CRC32C
node.conn[0].iscsi.DataDigest = CRC32C

Note: Enabling digests adds CPU overhead but ensures data integrity.

Operating System Hardening

Kernel Parameters

Disable unnecessary features:

# /etc/sysctl.d/99-storage-security.conf

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0

# Disable ICMP redirects on storage interfaces
net.ipv4.conf.ens1f0.accept_redirects = 0
net.ipv4.conf.ens1f1.accept_redirects = 0

# Enable reverse path filtering
net.ipv4.conf.ens1f0.rp_filter = 1
net.ipv4.conf.ens1f1.rp_filter = 1

Service Hardening

Limit iSCSI service exposure:

# Bind iscsid to storage interfaces only
# In /etc/iscsi/iscsid.conf (if supported):
# iface.net_ifacename = ens1f0

Audit and Compliance

Logging

Enable detailed logging:

# iSCSI logging
echo "module iscsi_tcp +p" > /sys/kernel/debug/dynamic_debug/control

# Monitor authentication failures
journalctl -u iscsid | grep -i "auth\|chap\|login"

Regular Security Review

Checklist:

  • [ ] Review storage array access lists quarterly

  • [ ] Rotate CHAP credentials annually

  • [ ] Audit network ACLs and VLAN configurations

  • [ ] Test failover procedures semi-annually

  • [ ] Review and update firewall rules as needed

CHAP Authentication

Configure CHAP on iSCSI targets:

CHAP credentials can be configured when creating the SR via Xen Orchestra or xe CLI:

# Create SR with CHAP authentication
xe sr-create name-label="iSCSI Storage" type=lvmoiscsi shared=true \
    device-config:target=<PORTAL_IP> \
    device-config:targetIQN=<TARGET_IQN> \
    device-config:SCSIid=<SCSI_ID> \
    device-config:chapuser=<USERNAME> \
    device-config:chappassword=<PASSWORD>

Network Isolation

Best practices for storage network security: 1. Dedicated VLANs: Isolate storage traffic on separate VLANs 2. No default gateway: Storage interfaces should not have default routes 3. Physical isolation: When possible, use dedicated switches 4. Access control: Use storage array ACLs to restrict initiator access