|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Storage over Ethernet/IPIn message <A427D1278F7CD311B1670008C7FAA62AC89F1F@CORPNT3>, Brian.Rubarts@born .com writes: > >>> Encryption will be offloaded to the network interface. ASICs on the NICs >>> will greatly improve encryption and authentication performance. > >>all well and good, provided that this encryption and authentication >>are actually compatible with that specified by higher level protocols >>and the authentication actually meets the needs of users. >>(if your network interface needs to use and verify users' credentials, >>as opposed to the host's credentials, it might be a stretch.) > >A network server will still authenticate user requests. Only the host >needs to be authenticated with the disk/disks. > Up to a point. Yes, there are NICs available today with IPsec on-card. But given the prevalence of -- how shall I put this? -- single-user computers with user physical access, no OS protection and crufty software, you really need user-granularity protection of the file access requests. NFS-style protection with host authentication works if and only if the server trusts the remote system to authenticate its users. That's demonstrably not true today. Yes, IPsec does, in theory, support user-granularity protection. That's very hard to do when you're using outboard IPsec implementations, since you then need some way to pass the user's credentials (generally a certificate, not a user-id) back to the host, and tie every received packet to that identity. It can be done, but (speaking as one of the primary participants in the IPsec development effort) I'm not impressed with its applicability in this case. > >>> It will run over incredibly fast Packet over SONET Wide Area >>> Networks--behind firewalls. > >>...it's >>inappropriate to assume that it will always be used behind firewalls... > >If the larger network that is employing this technology doesn't hire a >decent >consultant, you might be right. If they do, it will ALWAYS be behind a >firewall :-) > Speaking as someone whose firewall credentials are more or less beyond reproach, you're wrong -- period. *Many* such uses will be behind firewalls. Others won't. The large corporate firewall is a dinosaur, because of extranets, telecommuters, unofficial links through or around the firewall, etc. Comprehensive firewalls generally can't protect a network larger than one run by a single systems administrator (or, in some cases, a systems administration group); otherwise, they don't know where the links are. And even when one sysadmin runs the net, what does he or she do when word comes down from the pointy-haired layer of the stack that there *will* be a VPN link to a joint venture partner? Like it says on the (U.S.) toothpaste tubes -- firewalls can be an effective security measure when used as part of a program including good network hygiene and decent authentication. But they're not magic security pixie dust, and they're not a substitute for authentication in the protocol. --Steve Bellovin
Home Last updated: Tue Sep 04 01:08:15 2001 6315 messages in chronological order |