SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: Storage over Ethernet/IP



    In message <A427D1278F7CD311B1670008C7FAA62AC89F1F@CORPNT3>, Brian.Rubarts@born
    .com writes:
    >
    >>> Encryption will be offloaded to the network interface.  ASICs on the NICs
    >>> will greatly improve encryption and authentication performance.
    >
    >>all well and good, provided that this encryption and authentication
    >>are actually compatible with that specified by higher level protocols
    >>and the authentication actually meets the needs of users.  
    >>(if your network interface needs to use and verify users' credentials,
    >>as opposed to the host's credentials, it might be a stretch.)
    >
    >A network server will still authenticate user requests.  Only the host
    >needs to be authenticated with the disk/disks.
    >
    Up to a point.  Yes, there are NICs available today with IPsec on-card. 
    But given the prevalence of -- how shall I put this? -- single-user 
    computers with user physical access, no OS protection and crufty software,
    you really need user-granularity protection of the file access 
    requests.  NFS-style protection with host authentication works if and only
    if the server trusts the remote system to authenticate its users.  
    That's demonstrably not true today.  
    
    Yes, IPsec does, in theory, support user-granularity protection.  
    That's very hard to do when you're using outboard IPsec implementations,
    since you then need some way to pass the user's credentials (generally 
    a certificate, not a user-id) back to the host, and tie every received 
    packet to that identity.  It can be done, but (speaking as one of the 
    primary participants in the IPsec development effort) I'm not impressed 
    with its applicability in this case. 
    >
    >>> It will run over incredibly fast Packet over SONET Wide Area
    >>> Networks--behind firewalls.
    >
    >>...it's 
    >>inappropriate to assume that it will always be used behind firewalls...
    >
    >If the larger network that is employing this technology doesn't hire a
    >decent
    >consultant, you might be right.  If they do, it will ALWAYS be behind a
    >firewall :-)
    >
    Speaking as someone whose firewall credentials are more or less beyond 
    reproach, you're wrong -- period.  *Many* such uses will be behind 
    firewalls.  Others won't.  The large corporate firewall is a dinosaur, 
    because of extranets, telecommuters, unofficial links through or around 
    the firewall, etc.  Comprehensive firewalls generally can't protect a 
    network larger than one run by a single systems administrator (or, in 
    some cases, a systems administration group); otherwise, they don't know 
    where the links are.
    
    And even when one sysadmin runs the net, what does he or she do when 
    word comes down from the pointy-haired layer of the stack that there 
    *will* be a VPN link to a joint venture partner?
    
    Like it says on the (U.S.) toothpaste tubes -- firewalls can be an 
    effective security measure when used as part of a program 
    including good network hygiene and decent authentication.  But they're 
    not magic security pixie dust, and they're not a substitute for 
    authentication in the protocol.
    
    		--Steve Bellovin
    
    


Home

Last updated: Tue Sep 04 01:08:15 2001
6315 messages in chronological order