|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Storage over Ethernet/IPAt 10:14 26.05.2000 -0500, Brian.Rubarts@born.com wrote: >True, but whether the server accesses the disks via SCSI over TCP or SCSI >over Fibre Channel, the SERVER is still the weak link. The transport >protocol doesn't create any inherent weaknesses of the type you are >refering to--e-mail borne viruses, internal hackers, etc. The server >would still be the attack point. Why goodness, the server and storage >devices could be in a VLAN or something to deny direct hack attempts >against the storage device, but the chink in the armor is how hardened is >your OS? did you hear the story about the MIT students who broke encryption in Netscape by replacing the page of the binary containing the crypto verification code (sniffing the NFS request and replying faster than the real fileserver) while it was being transferred over the network? Replacing a dedicated medium (such as a SCSI bus) with a shared medium (such as an Ethernet cable plant) always opens new chinks. The point being made, remade and made again here is: - Any IP technology will be used in contexts where there are security threats - Any protocol that offers no means of countering such security threats is broken, and should not be considered for standardization. It is perfectly possible that after conducting a threat and modality analysis, one ends up with saying that hardware-accelerated IPsec using host identities is adequate for the scenarios involving otherwise-unprotected Internet links, and that a mode with no protection is adequate when the media is physically secured. But the analysis MUST BE DONE. Harald -- Harald Tveit Alvestrand, EDB Maxware, Norway Harald.Alvestrand@edb.maxware.no
Home Last updated: Tue Sep 04 01:08:15 2001 6315 messages in chronological order |