Comments on: iSCSI on Solaris 10 x86 http://blog.scottlowe.org/2006/12/05/iscsi-on-solaris-10-x86/ The weblog of an IT pro specializing in virtualization, storage, and servers Wed, 08 Feb 2012 17:13:47 +0000 hourly 1 http://wordpress.org/?v= By: Michael http://blog.scottlowe.org/2006/12/05/iscsi-on-solaris-10-x86/comment-page-1/#comment-43548 Michael Thu, 05 Feb 2009 21:55:19 +0000 http://blog.scottlowe.org/?p=379#comment-43548 The bulk of the security settings / permissions is handled at the target side. That is where Ernie is directing you to. Depending on your storage solution, the manner in which you do it may differ, but basically you configure the target to say, "These are the specific initiators that are allowed to connect to this resource." Then it doesn't matter as much if someone can see the different targets since they won't be able to authenticate. Also for the sake of best practices you should always configure mutual CHAP authentication. It makes a little bit more work, but adds an important piece of security. The bulk of the security settings / permissions is handled at the target side. That is where Ernie is directing you to. Depending on your storage solution, the manner in which you do it may differ, but basically you configure the target to say, “These are the specific initiators that are allowed to connect to this resource.” Then it doesn’t matter as much if someone can see the different targets since they won’t be able to authenticate.

Also for the sake of best practices you should always configure mutual CHAP authentication. It makes a little bit more work, but adds an important piece of security.

]]> By: Ernie Oporto http://blog.scottlowe.org/2006/12/05/iscsi-on-solaris-10-x86/comment-page-1/#comment-41937 Ernie Oporto Tue, 14 Oct 2008 14:32:29 +0000 http://blog.scottlowe.org/?p=379#comment-41937 You want to use /etc/initiators.allow to define which target LUNs can be seen with from the initiator. This allow you to use discovery and "iscsiadm list target". Combine this with the CHAP authentication for some nice security. Both should probably be used as a best practice. You want to use /etc/initiators.allow to define which target LUNs can be seen with from the initiator. This allow you to use discovery and “iscsiadm list target”. Combine this with the CHAP authentication for some nice security. Both should probably be used as a best practice.

]]>