|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: Security EnviornmentsJohn, Consider aspects of management. If the SCSI controller responds to client with lists of accessible devices, how is the SCSI controller informed? How is access managed in a uniform manner? If VPN is used, privacy is not needed within the SCSI transport. Is TLS secure for a SAN? Switches offer privacy if the LAN is physically secure resulting in little difference between FC and Ethernet. If the device is for a mobile notebook, as example, authentication offers adequate security. If the SCSI transport is implemented in software, is privacy practical? With many applications not requiring privacy, why mandate privacy? Even a software only implementation will require additional memory. Doug > OK Team, it seems to me that we need to talk about what > environments we are > trying Secure. Because, I think we need to sort out which environments > need what type of Security mechanism. > > The following are a list of environments that we need to support > with iSCSI > > 1. A Local LAN Environment, in a small organization, which is not open to > outsiders. Mostly Desktops and Laptop Systems, and want to pool storage > (but not with FC). iSCSI initiators (and maybe targets) are provided via > SW TCP/IP and iSCSI. > > 2. A Local LAN Environment that is isolated from outsiders via a > firewall, > has no storage access to, or from, anyone outside the Firewall. Mostly > Desktops and Laptops, may be a local Server or two. They want to pool > storage, (but not with FC). The non Server Systems will have SW TCP/IP and > iSCSI HBA implementations, and the Others will have iSCSI and TCP/IP > provided by SW. > > 3. A remote office that has a VPN (Virtual Private Network) and Firewall > to a main IT organization. Accessing Servers (at the central IT location) > with normal Client Server and Web Browser applications. They want to > access iSCSI storage at the central IT location. iSCSI initiators are > provided via SW TCP/IP and iSCSI, however, if any Servers need to access > the remote iSCSI Storage, they will probably be using HW iSCSI HBAs. > > 4. A Central IT organization that has Desktops and Laptops on their > Intranet, on their company campus. They want the Host on the Campus to > have access to the iSCSI storage located at various places within the > campus. They will have both iSCSI HBAs in Servers, and iSCSI SW in the > Desktops and Laptops. > > 5. Several Remote IT locations that have VPNs in/out and Firewalls, and > proxies, used for Client Server actions and Web Browsing (in and out). > They want to have iSCSI access to Storage at each other locations. Each > Site has Desktops, Laptops, and Servers that need to access local and > remote Storage. IT organization have local FC, and iSCSI Storage. (Note: > can also use FCIP here as well as iFCP, but lets keep the discussion to > iSCSI for now.) The various Servers have iSCSI HW (with TOEs), and the > Desktops/Laptops use SW for the iSCSI implementation. > > 6. A SSP (Storage Service Provider) wants to offer its storage > for use by > various different customers, across the Internet. The SSP will have an > iSCSI HW HBAs that handle the protocols. > > I think it would be very useful, if we could talk about our "solutions" to > the security need in terms of the above environments. There may be more, > but lets first work on the above. > > The remote offices and the IT organizations have physical security between > the IPSec Firewall and the Host, or Storage Device. > > We need to understand why we need IPSec/TLS, in each of the above > environments, as a function in SW and/or in a HW adapter. That is, we > need to understand when just Session Authentication & Authorization are > sufficient, or when we should accept the privacy provided by IPSec in > the VPN/Firewall, vrs the need to have on HBA or SW IPSec/TLS. > Up until > now this has not been clear to me. > > We need to understand if an IPSec function in the HBA or SW, > would be a > problem since the Firewall is likely to also be a NAT, in > several of the > above environments. > > Why would an organization want to bypass their Firewall and go straight > to the Internet just because they had IPSec on the HBA. What is gained > by that? > > If the installation had a Firewall with NAT and they wanted to stay > behind that Firewall, wouldn't the IPSec on the HBA or SW be > problematical? > > > > . > . > . > John L. Hufferd > Senior Technical Staff Member (STSM) > IBM/SSG San Jose Ca > (408) 256-0403, Tie: 276-0403, eFax: (408) 904-4688 > Internet address: hufferd@us.ibm.com > >
Home Last updated: Tue Sep 04 01:05:32 2001 6315 messages in chronological order |