iSCSI planning: Targets, availability, and security

The second article in a two-part series examines iSCSI storage subsystems, data/application availability, and security requirements.

By Saqib Jang

End users are beginning to consider the iSCSI protocol for more cost-effective and less resource-intensive server and storage consolidation for a range of Windows applications, including Exchange, SQL Server-based transaction processing and decision support, and back-end block storage for Windows file services. The opportunity to reduce acquisition and operational costs by deploying IP-based storage area networks (SANs), especially for applications requiring less performance compared to Fibre Channel, is luring small to large enterprises alike to iSCSI.

Nonetheless, effective iSCSI implementations require thorough preparation, including defining application, performance, scalability, security, and availability requirements.

This article covers iSCSI targets, availability, and security requirements. A previous article covered initiator, application, and performance requirements (see "iSCSI planning: Apps, performance, and initiators," InfoStor, October 2003, p. 51).

iSCSI targets

iSCSI targets are devices that receive iSCSI-based block storage requests from iSCSI initiators. iSCSI targets can be segmented into two categories, which Microsoft calls fixed-function targets and variable-function targets.

A fixed-function target is a native iSCSI device. Examples include iSCSI disk arrays from vendors such as Adaptec, EqualLogic, IBM, Intransa, LeftHand Networks, LSI, and Network Appliance, as well as iSCSI tape devices from vendors such as ADIC and Spectra Logic.

A variable-function iSCSI target acts as a bridge between iSCSI and another protocol, enabling administrators to use existing storage systems, such as Fibre Channel or SCSI arrays, as iSCSI targets. The most common example is a bridge between iSCSI and Fibre Channel devices. These bridges attach to the storage network using iSCSI, but allow the actual storage system to be a Fibre Channel device. iSCSI bridges/routers are available from a range of vendors, including ATTO Technology, Cisco, Crossroads, FibreStream, McData, and SANRAD. Some iSCSI targets, such as StoneFly Networks' Storage Concentrator, combine fixed- and variable-function capabilities in the same device.

Factors to consider in determining the appropriate approach for iSCSI target deployment include your existing storage and networking vironment, cost, and scalability requirements.

iSCSI disk arrays from start-ups such as EqualLogic and Intransa provide significantly lower cost-per-megabyte capacity versus Fibre Channel arrays, as well as specific tools for managing applications such as Exchange and SQL Server and features for virtualization, snapshots, and replication.

"EqualLogic's iSCSI storage system allowed us to address two important requirements for our Microsoft Exchange deployment, even while facing stringent budget constraints," says Shawn Eveleigh, senior systems administrator for Zenon, a developer of technologies for water purification and wastewater treatment. "Exchange storage consolidation permitted optimized utilization of Exchange server and storage capacity, while enabling as-needed capacity allocation."

Besides addressing DAS-to-IP SAN migration, Network Appliance's iSCSI support addresses the need for "unified" (multi-protocol and/or multi-architecture) storage solutions. Network Appliance provides iSCSI target support on all its storage systems, including the fabric-attached storage (FAS) line that provides network-attached storage (NAS) and Fibre Channel SAN support.

"Large enterprises are likely to use iSCSI for SANs in departmental and remote data centers, while also using NAS for file sharing and Fibre Channel SANs for mission-critical applications in the core data center," says David Dale, an "industry evangelist" at Network Appliance. "Small and mid-sized enterprises, on the other hand—where SAN penetration is low today—may elect to deploy an IP-only SAN that leverages iSCSI while using NAS for file sharing."

iSCSI bridges and routers are key building blocks for integrating a Fibre Channel infrastructure with IP SANs, while simplifying management via capabilities such as virtualization, high availability, and security.

For example, Cisco's IP Storage Services Module, which is available with its MDS 9000 series switches and directors, provides bridging between iSCSI and Cisco-based Fibre Channel SAN domains. "When IP-attached servers are added to an MDS 9000 storage network, they are transparently added to the appropriate VSAN [Virtual SAN], Fibre Channel Name Server, Zone Server, and MDS 9000 management infrastructure," says Ed Chapman, senior director of marketing in Cisco's Enterprise Storage Division.

For smaller, departmental-level iSCSI deployments requiring integration of existing Fibre Channel storage systems into an IP SAN, products from vendors such as StoneFly Networks and FibreStream may be more appropriate. These vendors' iSCSI routers provide storage management across Fibre Channel or SCSI disk arrays exposed as iSCSI targets to iSCSI hosts. In this way, "Tier 2" Fibre Channel storage, which may have been replaced with newer higher-performance models, can be "re-purposed" to save acquisition costs.

"iSCSI has been key to our need for Tier 2 and Tier 3 application servers to fully leverage the benefits of storage consolidation," says Ken Walters, senior director of enterprise platforms at PBS, an early adopter of StoneFly Networks' iSCSI-based Storage Concentrators. "StoneFly's storage management capabilities and provisioning of logical volumes has allowed us to better virtualize, and therefore, utilize, our existing Fibre Channel storage. iSCSI integrates very well into our Fibre Channel SAN."

High availability

Windows server applications (e.g., Exchange, SQL Server, and Windows file services) continue to evolve in availability requirements, with downtime being viewed as a serious business risk. iSCSI deployment can provide cost-effective application and data availability for such applications.

Microsoft Clustering Services (MSCS) is the standard high-availability server clustering solution for Microsoft's suite of messaging, file/ print, Web services, and line-of-business applications. For sites using MSCS via direct-attached SCSI connections, iSCSI promises a cost-effective path to storage consolidation.

Until iSCSI, MSCS required relatively complex Fibre Channel-based server-to-storage connections for storage consolidation. When multiple servers share access to the same storage, as with MSCS clusters, configuration of Fibre Channel SANs can be difficult. For example, one improperly configured system can impact the entire SAN. iSCSI clusters, unlike Fibre Channel clusters, do not require complex configurations.

"iSCSI configuration for Microsoft Clustering Services is easily accomplished, with little need for intervention by system administrators," claims Zane Adam, director of marketing and product management in Microsoft's Enterprise Storage Division. "Changes introduced by hardware replacement are largely transparent with iSCSI, but can be a source of errors in Fibre Channel implementations."

While clustering services address server hardware and software failures, an effective storage consolidation strategy also requires planning against failure of physical path components—such as network ports, adapters, cables, and switches—between servers and iSCSI storage targets.

Redundant server-to-SAN connectivity solutions provide fail-over through the use of redundant path components between servers and storage systems. In the event that one or more of these components fails, applications can still access their data. Fault tolerance is not the only benefit of redundant server-to-SAN connectivity; it also redistributes the read/write load among multiple paths between server and storage devices, thereby helping to remove bottlenecks and balance workloads. iSCSI offers a number of options for redundant server-to-SAN connectivity, depending on cost and performance requirements.

For low-end and midrange servers running iSCSI software initiators, users can employ "adapter teaming," a feature available on Gigabit Ethernet network interface cards from vendors such Intel and Broadcom. Combining adapter teaming with iSCSI initiator software enables users to configure a high-availability iSCSI architecture. Adapter teaming allows two Ethernet network interfaces to act as one logical interface, using only one IP address and providing port fail-over as well as load balancing.

For higher-end servers running mission-critical iSCSI applications, users can employ multi-pathing software packages from vendors such as EMC, Hewlett-Packard, and Veritas running on iSCSI host bus adapters (HBAs) from vendors such as Adaptec, Emulex, iReady, and QLogic. Coupled with Microsoft's recently announced plans for multi-pathing within Windows, iSCSI should enable cost-effective deployment of robust multi-pathing software for mission-critical server applications.


Security in a traditional Fibre Channel SAN is achieved primarily by implementing zoning services. Zoning provides the ability to restrict communication between various end points within a Fibre Channel SAN. While zoning may suffice as the primary security scheme for Fibre Channel SANs, iSCSI deployments require stricter security measures because IP-based block storage connections could potentially span the enterprise.

The iSCSI protocol specifies a variety of security capabilities, including the use of Challenge Handshake Authentication Protocol (CHAP) during initial iSCSI login to restrict access to targets. In addition, the use of IP Security (IPSec) is recommended to ensure that iSCSI end points (initiators and targets) are authentic and to maintain privacy and integrity of transferred data.

At the outset, iSCSI SANs will most likely be physically isolated from the primary data network, similar to Fibre Channel SANs. However, the simplicity of IP-based access renders iSCSI SANs more prone to security breaches and puts data stored over even a physically isolated iSCSI network at risk. By using IPSec-based iSCSI initiators, a physically isolated SAN can no longer be accessed without the proper authentication. For example, Microsoft's iSCSI software initiator provides support for IPSec-based security for iSCSI server connections.

The deployment of secure iSCSI connections and the ubiquity of TCP/IP will enable new SAN applications, while providing end-to-end network security. Since iSCSI security is based on the same technology used for TCP/IP security today, a single SAN with secure iSCSI initiators can easily span over a WAN with storage devices and servers in multiple locations. By providing security in iSCSI end-nodes, the storage network and data network can eventually converge to maximize network bandwidth usage, lower network management costs, and share the same fabric switch equipment, without the concern of security breaches and illegal access to information.

The iSCSI standard requires that IPSec be implemented, but does allow its use to be optional. Accordingly, before deploying iSCSI administrators should carefully review the security requirements and configuration of the iSCSI SAN. It is important to note that not all hardware vendors include support for IPSec.

"Users are recognizing the ever-increasing importance of security," says Ryo Koyama, CEO of iReady Corp. "IPSec and iSCSI may serve as a catalyst to drive cost-effective hardware security solutions into the mainstream."

What barriers exist to the pervasive deployment of iSCSI security? IPSec is a complex technology with many software and hardware components. The combination of IPSec and SAN technology requires new management tools and high-level integration of storage and security to ensure that secure iSCSI SANs are easy to deploy and manage.

"Most users that are concerned about security will initially deploy IP SANs that are isolated from the primary data network. Over time, IPSec will be deployed in a merged network with a lower cost of ownership as storage management solutions become IPSec-aware," says Ron Kroesen, vice president of marketing and sales at Silverback Systems, a developer of acceleration hardware for iSCSI initiators and targets.

iSCSI HBAs and storage systems are available with and without IPSec security. If security is required, there are several key attributes that are important in selecting the optimum solution. Some products may offer support for IPSec security with limited performance. If enabling IPSec security drops the throughput performance of a Gigabit Ethernet iSCSI HBA to unacceptable levels, why buy an HBA in the first place? Using a software initiator could be more practical and less expensive. Solutions that offer full Gigabit Ethernet wire speed accelerate IPSec by offloading the most compute-intensive functions to hardware. When purchasing iSCSI products in which IPSec is a requirement, be sure to determine if such hardware is included.

Saqib Jang is founder and principal at Margalla Communications, a Woodside, CA-based strategic and technical marketing consulting firm focused on storage networking. He can be contacted at saqibj@margallacomm.com.

For more information about iSCSI and IP SANs, see the following articles that have appeared in Infostor:
"iSCSI product barrage continues," p. 8, in this issue
"ADIC offers iSCSI backup options," p. 8, in this issue
"iSCSI accelerates the transition to network storage," January 2004, p. 30
"Technical implications for iSCSI deployment," January 2004, p. 36
"Arrow distributes first IP SAN bundle," December 2003, p. 20
"IP vs. Fibre Channel SANs," December 2003, p. 24
"Fibre Channel or IP, or both?", December 2003, p. 28

This article was originally published on February 01, 2004