SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: Security Enviornments



    OK Team, it seems to me that we need to talk about what environments we are
    trying Secure.   Because, I think we need to sort out which environments
    need what type of Security mechanism.
    
    The following are a list of environments that we need to support with iSCSI
    
    1.  A Local LAN Environment, in a small organization, which is not open to
    outsiders.  Mostly Desktops and Laptop Systems, and want to pool storage
    (but not with FC).  iSCSI initiators (and maybe targets) are provided via
    SW TCP/IP and iSCSI.
    
    2.  A Local LAN Environment that is isolated from outsiders via a firewall,
    has no storage access to, or from, anyone outside the Firewall.  Mostly
    Desktops and Laptops, may be a local Server or two.  They want to pool
    storage, (but not with FC). The non Server Systems will have SW TCP/IP and
    iSCSI HBA implementations, and the Others will have iSCSI and TCP/IP
    provided by SW.
    
    3.  A remote office that has a VPN (Virtual Private Network) and Firewall
    to a main IT organization.  Accessing Servers (at the central IT location)
    with normal Client Server and Web Browser applications.  They want to
    access iSCSI storage at the central IT location.   iSCSI initiators  are
    provided via SW TCP/IP and iSCSI, however, if any Servers need to access
    the remote iSCSI Storage,  they will probably be using HW iSCSI HBAs.
    
    4.  A Central IT organization that has Desktops and Laptops on their
    Intranet, on their company campus.  They want the Host on the Campus to
    have access to the iSCSI storage located at various places within the
    campus.  They will have both iSCSI HBAs in Servers, and iSCSI SW in the
    Desktops and Laptops.
    
    5.  Several Remote IT locations that have VPNs in/out and Firewalls, and
    proxies, used for Client Server actions and Web Browsing (in and out).
    They want to have iSCSI access to  Storage at each other locations.  Each
    Site has Desktops, Laptops, and Servers that need to access local and
    remote Storage.  IT organization have local FC, and iSCSI Storage.  (Note:
    can also use FCIP here as well as iFCP, but lets keep the discussion to
    iSCSI for now.)  The various Servers have iSCSI HW (with TOEs), and the
    Desktops/Laptops use SW for the iSCSI implementation.
    
     6.  A SSP (Storage Service Provider) wants to offer its storage for use by
    various different customers, across the Internet.  The SSP will have an
    iSCSI HW HBAs that handle the protocols.
    
    I think it would be very useful, if we could talk about our "solutions" to
    the security need in terms of the above environments.  There may be more,
    but lets first work on the above.
    
    The remote offices and the IT organizations have physical security between
    the IPSec Firewall and the Host, or Storage Device.
    
       We need to understand why we need IPSec/TLS, in each of the above
       environments, as a function in SW and/or in a HW adapter.  That is, we
       need to understand when just Session Authentication & Authorization are
       sufficient, or when we should accept the privacy provided by IPSec in
       the VPN/Firewall, vrs the need to have on HBA or SW IPSec/TLS.  Up until
       now this has not been clear to me.
    
       We need to understand if an IPSec function in the HBA  or SW, would be a
       problem since the Firewall is likely to also be a NAT, in several of the
       above environments.
    
       Why would an organization want to bypass their Firewall and go straight
       to the Internet just because they had IPSec on the HBA.  What is gained
       by that?
    
       If the installation had a Firewall with NAT and they wanted to stay
       behind that Firewall, wouldn't the IPSec on the HBA or SW be
       problematical?
    
    
    
    .
    .
    .
    John L. Hufferd
    Senior Technical Staff Member (STSM)
    IBM/SSG San Jose Ca
    (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    Internet address: hufferd@us.ibm.com
    
    


Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order