|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI: Security EnviornmentsOK Team, it seems to me that we need to talk about what environments we are trying Secure. Because, I think we need to sort out which environments need what type of Security mechanism. The following are a list of environments that we need to support with iSCSI 1. A Local LAN Environment, in a small organization, which is not open to outsiders. Mostly Desktops and Laptop Systems, and want to pool storage (but not with FC). iSCSI initiators (and maybe targets) are provided via SW TCP/IP and iSCSI. 2. A Local LAN Environment that is isolated from outsiders via a firewall, has no storage access to, or from, anyone outside the Firewall. Mostly Desktops and Laptops, may be a local Server or two. They want to pool storage, (but not with FC). The non Server Systems will have SW TCP/IP and iSCSI HBA implementations, and the Others will have iSCSI and TCP/IP provided by SW. 3. A remote office that has a VPN (Virtual Private Network) and Firewall to a main IT organization. Accessing Servers (at the central IT location) with normal Client Server and Web Browser applications. They want to access iSCSI storage at the central IT location. iSCSI initiators are provided via SW TCP/IP and iSCSI, however, if any Servers need to access the remote iSCSI Storage, they will probably be using HW iSCSI HBAs. 4. A Central IT organization that has Desktops and Laptops on their Intranet, on their company campus. They want the Host on the Campus to have access to the iSCSI storage located at various places within the campus. They will have both iSCSI HBAs in Servers, and iSCSI SW in the Desktops and Laptops. 5. Several Remote IT locations that have VPNs in/out and Firewalls, and proxies, used for Client Server actions and Web Browsing (in and out). They want to have iSCSI access to Storage at each other locations. Each Site has Desktops, Laptops, and Servers that need to access local and remote Storage. IT organization have local FC, and iSCSI Storage. (Note: can also use FCIP here as well as iFCP, but lets keep the discussion to iSCSI for now.) The various Servers have iSCSI HW (with TOEs), and the Desktops/Laptops use SW for the iSCSI implementation. 6. A SSP (Storage Service Provider) wants to offer its storage for use by various different customers, across the Internet. The SSP will have an iSCSI HW HBAs that handle the protocols. I think it would be very useful, if we could talk about our "solutions" to the security need in terms of the above environments. There may be more, but lets first work on the above. The remote offices and the IT organizations have physical security between the IPSec Firewall and the Host, or Storage Device. We need to understand why we need IPSec/TLS, in each of the above environments, as a function in SW and/or in a HW adapter. That is, we need to understand when just Session Authentication & Authorization are sufficient, or when we should accept the privacy provided by IPSec in the VPN/Firewall, vrs the need to have on HBA or SW IPSec/TLS. Up until now this has not been clear to me. We need to understand if an IPSec function in the HBA or SW, would be a problem since the Firewall is likely to also be a NAT, in several of the above environments. Why would an organization want to bypass their Firewall and go straight to the Internet just because they had IPSec on the HBA. What is gained by that? If the installation had a Firewall with NAT and they wanted to stay behind that Firewall, wouldn't the IPSec on the HBA or SW be problematical? . . . John L. Hufferd Senior Technical Staff Member (STSM) IBM/SSG San Jose Ca (408) 256-0403, Tie: 276-0403, eFax: (408) 904-4688 Internet address: hufferd@us.ibm.com
Home Last updated: Tue Sep 04 01:05:32 2001 6315 messages in chronological order |