Detections
Analytics

6.3.1 (L1) Host iSCSI client, if enabled, must employ bidirectional/mutual CHAP authentication

Information

Implementing bidirectional CHAP authentication for iSCSI connections elevates security by necessitating mutual verification between the initiator (client) and target (server), ensuring data integrity during transmission. Configuration involves setting the iSCSI storage adapter authentication to "Use bidirectional CHAP" and providing the requisite credentials. This setup ensures that all communication between the client and server remains secure and unaltered, significantly reducing the risk of data interception by unauthorized entities. The parameter governing this behavior is set iSCSI storage adapter authentication to "Use bidirectional CHAP" with a recommended setting of Enabled.

Employing bidirectional CHAP authentication significantly minimizes risks associated with data interception or alteration by unauthorized entities during transmissions between the initiator and target. This additional layer of security is crucial in maintaining data integrity and confidentiality in iSCSI connections.

Solution

To enable bidirectional CHAP authentication for iSCSI traffic, perform the following:

 - From the vSphere Web Client, select the host.
 - Click Configure then expand Storage
 - Select Storage Adapters then select the iSCSI Adapter.
 - Under Properties click on Edit next to Authentication
 - Next to Authentication Method select Use bidirectional CHAP from the dropdown.
 - Specify the outgoing CHAP name.

 - Make sure that the name you specify matches the name configured on the storage side.
 - To set the CHAP name to the iSCSI adapter name, select "Use initiator name".
 - To set the CHAP name to anything other than the iSCSI initiator name, deselect "Use initiator name" and type a name in the Name text box.

<xhtml:ol start="8"> - Enter an outgoing CHAP secret to be used as part of authentication. Use the same secret as your storage side secret.
 - Specify incoming CHAP credentials. Make sure your outgoing and incoming secrets do not match.
 - Click OK
 - Click the second to last symbol labeled Rescan Adapter

Alternately, run the following PowerCLI command:

# Set the Chap settings for the Iscsi Adapter
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Set-VMHostHba # Use desired parameters here

Impact:

No functional impact is anticipated upon the implementation of this control. However, it's imperative to ensure correct configuration to avoid potential communication disruptions between the iSCSI client and server.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|16.5

Plugin: VMware

Control ID: b4b02f3f9300e08a9e47eea445a31ef173767a3d5cf6f142b0ad743d1cc55c1e