6.1 Ensure bidirectional CHAP authentication for iSCSI traffic is enabled

Information

vSphere allows for the use of bidirectional authentication of both the iSCSI target and host. Bidirectional Challenge-Handshake Authentication Protocol (CHAP), also known as Mutual CHAP, should be enabled to provide bidirectional authentication.

Rationale:

By not authenticating both the iSCSI target and host, there is a potential for a man-in-the-middle attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication can mitigate this risk.

Note: Choosing not to enforce bidirectional authentication can make sense if you create a dedicated network or VLAN to service all your iSCSI devices. If the iSCSI facility is isolated from general network traffic, it is less vulnerable to exploitation.

Solution

To enable bidirectional CHAP authentication for iSCSI traffic, perform the following:

From the vSphere Web Client, navigate to 'Hosts and Clusters'.

Click on a host.

Click on 'Configure' -> 'Storage' -> 'Storage Adapters'.

Select the iSCSI adapter to configure OR click the green plus symbol to create a new adapter.

Under Adapter Details, click the Properties tab and click 'Edit' in the Authentication panel.

Specify authentication method: 'Use bidirectional CHAP'.

Specify the outgoing CHAP name.

Make sure that the name you specify matches the name configured on the storage side.

To set the CHAP name to the iSCSI adapter name, select 'Use initiator name'.

To set the CHAP name to anything other than the iSCSI initiator name, deselect 'Use initiator name' and type a name in the Name text box.

Enter an outgoing CHAP secret to be used as part of authentication. Use the same secret as your storage side secret.

Specify incoming CHAP credentials. Make sure your outgoing and incoming secrets do not match.

Click OK.

Click the second to last symbol to rescan the iSCSI adapter.

Alternately, run the following PowerCLI command:

# Set the Chap settings for the Iscsi Adapter
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq 'Iscsi'} | Set-VMHostHba # Use desired parameters here

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|16.5

Plugin: VMware

Control ID: 70edbb6496e83a5b405299d3496744d2b45bef3eae085928254ae6f94afdad0e