RE: iSCSI gateways, proxies, etc.

To: ips@ece.cmu.edu
Subject: RE: iSCSI gateways, proxies, etc.
From: Joshua Tseng/Nishan Systems <joshua.tseng@NishanSystems.com>
Date: Thu, 12 Oct 2000 09:39:15 -0700
Content-Type: text/plain;charset="windows-1252"
Sender: owner-ips@ece.cmu.edu

David,

Thanks for the clarification.

Note that while DNS-ALG may be an alternative for outbound
TCP connections, many companies will have an issue in allowing
external hosts to initiate TCP connections to internal hosts.
While the DNS-ALG may be an alternative for outbound TCP
connections, there are security risks for inbound TCP.  I
do not believe stateful inspection can protect against these
attacks.  Furthermore, I know from experience that many
companies do not implement DNS-ALG.

IMO, not putting in a mechanism for proxies into iSCSI will
raise security risks or force the user to socksify iSCSI.  As
iSCSI may be imbedded into a storage HBA, this also could
be quite problematic.

Josh


> -----Original Message-----
> From: Black_David@emc.com [mailto:Black_David@emc.com]
> Sent: Thursday, October 12, 2000 6:49 AM
> To: joshua.tseng@nishansystems.com; ips@ece.cmu.edu
> Subject: RE: iSCSI gateways, proxies, etc.
> 
> 
> > I do not understand what is meant by "out-of-band".  Is it some
> > kind of manual configuration?
> 
> Out-of-band means that the configuration is not done as part of
> setting up the iSCSI connection.  It could be manual or automatic -
> both the DNS and firewall examples in my original message were
> examples of automatic out of band configuration.  I believe that there
> are implementations of the DNS example, and the IPsec community
> is in the midst of working on automating things that include the
> tunnel autoconfig required by the firewall example.  The 
> firewall in the
> example I used could be a stateful inspection firewall; the intent
> was not to have the firewall itself be a visible iSCSI proxy.
> 
> The NAT example is "Bidirectional NAT" or "Twice NAT" with dynamic
> setup of the address translations.  See Sections 4.2 and 4.3 
> of RFC 2663,
> and discussion in that RFC of using a DNS-Application Level Gateway.
> The example I described uses invocation of and information from the
> DNS-ALG to set up the translations as opposed to the RFC description
> that does not include the setup mechanism.
> 
> --David
> 
> ---------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 42 South St., Hopkinton, MA  01748
> +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
> black_david@emc.com       Mobile: +1 (978) 394-7754
> ---------------------------------------------------
>

Prev by Date: Re: iSCSI gateways, proxies, etc.
Next by Date: RE: iSCSI gateways, proxies, etc.
Prev by thread: Re: iSCSI gateways, proxies, etc.
Next by thread: RE: iSCSI gateways, proxies, etc.
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:06:41 2001
6315 messages in chronological order