StarWind Security and network use.

Han · Mon Jun 04, 2007 2:30 pm

I know port 3260 is the iSCSI port. But when I issue a netstat -an when the StarWind service runs it seems to listen on 3261 too. What's the purpose of this port?
Also I'm a bit confused about security. Authentication can be required twice: once for the connection between management console and the service and the other for the connection between iSCSI initiator and StarWind (target). Correct?
The console connects to the service through port 3260. Correct?
So does the console configures the service through SCSI commands or is there an other protocol used through port 3260 for communication between console and service?
And what's the exact difference between the screens from F2 and F3?

Regards,
Han Valk.

Tue Jun 05, 2007 7:23 am

Han,

Port 3260 is for data (iSCSI). Port 3261 is for communications between client and server.

To manage StarWind target server you have to specify user name and password while during management console connection. By default there is no authentication between iSCSI initiator and StarWind, but optionally you can assign IPSec policy or configure CHAP authentication.

...

F2 (if connection selected, for example localhost:3260) is the Preferences of this connection (management console-side), in other case it is StarWind preferences (Language, Logging).
F3 - edit the configuration of specific connection (service side).
Management console and service can be installed on different machines.

Han · Tue Jun 05, 2007 7:48 am

Thanks for this very good answer.
StarWind offers the possibility to restrict the service to listen on just 1 IP address, at least as far as iSCSI goes.
Wouldn't it security wise be a good idea to build in the option to restrict the control channel to a certain IP address as well?
iSCSI traffic preferably is carried by a seperate network from management and 'normal' traffic. So the ideal scenario would be a iSCSI host with at least 2 NIC's, one for iSCSI and one for management.

Han.

Val (staff) · Tue Jun 05, 2007 8:35 am

Han wrote:Thanks for this very good answer.
StarWind offers the possibility to restrict the service to listen on just 1 IP address, at least as far as iSCSI goes.
Wouldn't it security wise be a good idea to build in the option to restrict the control channel to a certain IP address as well?
iSCSI traffic preferably is carried by a seperate network from management and 'normal' traffic. So the ideal scenario would be a iSCSI host with at least 2 NIC's, one for iSCSI and one for management.

Han.

Han,

Thank you for the suggestions.
We'll add the feature to StarWind in one of the next releases.

Tue Jun 05, 2007 8:41 am

Han,
SANs are really not expected to be used in DMZ or ourside corporate LANs (no gateway to WAN in other words).
So there is no necessity at separating management and data traffic.
But we'll think about your suggestion.

Han · Tue Jun 05, 2007 12:50 pm

[quote="bohdan (staff)"]Han,
SANs are really not expected to be used in DMZ or ourside corporate LANs (no gateway to WAN in other words).
So there is no necessity at separating management and data traffic.
But we'll think about your suggestion.[/quote]

Well if security is not a concern than why offer IPsec as a means of encrypting iSCSI traffic? I.M.H.O. best practice would be to seperate management from data traffic. Security is one reason to do it.

Han.

Tue Jun 05, 2007 1:18 pm

Han,
Thank you very much for the great suggestions!
We'll really add the feature to StarWind in one of the next releases.
We'll do our best to make StarWind more secure and reliable.