Your company has a single Active Directory domain. All servers run Windows Server 2008 R2. You install an iSCSI storage area network (SAN) for a group of file servers.
Corporate security policy requires that all data communication to and from the iSCSI SAN must be as secure as possible.
You need to implement the highest security available for communications to and from the iSCSI SAN.
What should you do?
A. Create a Group Policy object (GPO) to enable the System objects: Strengthen default permission of internal systems objects setting.
B. Create a Group Policy object (GPO) to enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting.
C. Implement IPsec security in the iSCSI Initiator Properties. Set up inbound and outbound rules by using Windows Firewall.
D. Implement mutual Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) authentication in the iSCSI Initiator Properties. Set up inbound and outbound rules by using Windows Firewall.
Correct Answer: C
Explanation/Reference:
Security
Microsoft iSCSI Initiator supports using and configuring Challenge Handshake Authentication Protocol (CHAP) and Internet Protocol security (IPsec). All supported iSCSI HBAs also support CHAP; however, some may not support IPsec.
IPsec
IPsec is a protocol that provides authentication and data encryption at the IP packet layer. The Internet Key Exchange (IKE) protocol is used between peers to allow the peers to authenticate each other and negotiate the packet encryption and authentication mechanisms to be used for the connection.
Because Microsoft iSCSI Initiator uses the Windows TCP/IP stack, it can use all of the functionality that is available in the Windows TCP/IP stack. For authentication, this includes preshared keys, Kerberos protocol, and certificates. Active Directory is used to distribute the IPsec filters to computers running Microsoft iSCSI Initiator. 3DES and HMAC-SHA1 are supported, in addition to tunnel and transport modes.
Because iSCSI HBA has a TCP/IP stack embedded in the adapter, the iSCSI HBA can implement IPsec and IKE, so the functionality that is available on the iSCSI HBA may vary. At a minimum, it supports preshared keys and 3DES and HMAC-SHA1. Microsoft iSCSI Initiator has a common API that is used to configure IPsec for Microsoft iSCSI Initiator and iSCSI HBA.
Easier Firewall configuration for Windows Server 2008 R2 and Windows 7
Allowing the use of an Internet Storage Name Service (iSNS) server through the firewall is possible directly from the iSCSICLI command-line utility. However, you can still controll it through the Windows Firewall with Advanced Security, if desired.
To enable iSNS traffic for use with Microsoft iSCSI Initiator Use the following command to enable iSNS traffic through the firewall. This allows you to use an iSNS server with the local Microsoft iSCSI Initiator:
iscsicli FirewallExemptiSNSServer
Source: http://technet.microsoft.com/en-us/library/ee338480.aspx
