Details
By enabling bidirectional CHAP authentication, an additional level of security enables the
initiator to authenticate the target.
*Rationale*
vSphere allows for the use of bidirectional authentication of both the iSCSI target and host.
Choosing not to enforce more stringent authentication can make sense if you create a
dedicated network or VLAN to service all your iSCSI devices. By not authenticating both the
iSCSI target and host, there is a potential for a MiTM attack in which an attacker might
impersonate either side of the connection to steal data. Bidirectional authentication can
mitigate this risk. If the iSCSI facility is isolated from general network traffic, it is less
vulnerable to exploitation.
Solution
To implement the recommended configuration state, run the following PowerCLI
command-# Set the Chap settings for the Iscsi Adapter
Get-VMHost | Get-VMHostHba | Where {$_.Type -eq ‘Iscsi’} | Set-VMHostHba # Use desired parameters here
Default Value-The prescribed state is not the default state.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system VMware.