SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI gateways, proxies, etc.



    David,
    
    Thanks for the clarification.
    
    Note that while DNS-ALG may be an alternative for outbound
    TCP connections, many companies will have an issue in allowing
    external hosts to initiate TCP connections to internal hosts.
    While the DNS-ALG may be an alternative for outbound TCP
    connections, there are security risks for inbound TCP.  I
    do not believe stateful inspection can protect against these
    attacks.  Furthermore, I know from experience that many
    companies do not implement DNS-ALG.
    
    IMO, not putting in a mechanism for proxies into iSCSI will
    raise security risks or force the user to socksify iSCSI.  As
    iSCSI may be imbedded into a storage HBA, this also could
    be quite problematic.
    
    Josh
    
    
    > -----Original Message-----
    > From: Black_David@emc.com [mailto:Black_David@emc.com]
    > Sent: Thursday, October 12, 2000 6:49 AM
    > To: joshua.tseng@nishansystems.com; ips@ece.cmu.edu
    > Subject: RE: iSCSI gateways, proxies, etc.
    > 
    > 
    > > I do not understand what is meant by "out-of-band".  Is it some
    > > kind of manual configuration?
    > 
    > Out-of-band means that the configuration is not done as part of
    > setting up the iSCSI connection.  It could be manual or automatic -
    > both the DNS and firewall examples in my original message were
    > examples of automatic out of band configuration.  I believe that there
    > are implementations of the DNS example, and the IPsec community
    > is in the midst of working on automating things that include the
    > tunnel autoconfig required by the firewall example.  The 
    > firewall in the
    > example I used could be a stateful inspection firewall; the intent
    > was not to have the firewall itself be a visible iSCSI proxy.
    > 
    > The NAT example is "Bidirectional NAT" or "Twice NAT" with dynamic
    > setup of the address translations.  See Sections 4.2 and 4.3 
    > of RFC 2663,
    > and discussion in that RFC of using a DNS-Application Level Gateway.
    > The example I described uses invocation of and information from the
    > DNS-ALG to set up the translations as opposed to the RFC description
    > that does not include the setup mechanism.
    > 
    > --David
    > 
    > ---------------------------------------------------
    > David L. Black, Senior Technologist
    > EMC Corporation, 42 South St., Hopkinton, MA  01748
    > +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    > black_david@emc.com       Mobile: +1 (978) 394-7754
    > ---------------------------------------------------
    > 
    


Home

Last updated: Tue Sep 04 01:06:41 2001
6315 messages in chronological order