SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: Security Enviornments



    John,
    
    Consider aspects of management.  If the SCSI controller responds to client
    with lists of accessible devices, how is the SCSI controller informed?  How
    is access managed in a uniform manner?
    
    If VPN is used, privacy is not needed within the SCSI transport.
    
    Is TLS secure for a SAN?
    
    Switches offer privacy if the LAN is physically secure resulting in little
    difference between FC and Ethernet.
    
    If the device is for a mobile notebook, as example, authentication offers
    adequate security.
    
    If the SCSI transport is implemented in software, is privacy practical?
    
    With many applications not requiring privacy, why mandate privacy?  Even a
    software only implementation will require additional memory.
    
    Doug
    
    
    
    
    > OK Team, it seems to me that we need to talk about what
    > environments we are
    > trying Secure.   Because, I think we need to sort out which environments
    > need what type of Security mechanism.
    >
    > The following are a list of environments that we need to support
    > with iSCSI
    >
    > 1.  A Local LAN Environment, in a small organization, which is not open to
    > outsiders.  Mostly Desktops and Laptop Systems, and want to pool storage
    > (but not with FC).  iSCSI initiators (and maybe targets) are provided via
    > SW TCP/IP and iSCSI.
    >
    > 2.  A Local LAN Environment that is isolated from outsiders via a
    > firewall,
    > has no storage access to, or from, anyone outside the Firewall.  Mostly
    > Desktops and Laptops, may be a local Server or two.  They want to pool
    > storage, (but not with FC). The non Server Systems will have SW TCP/IP and
    > iSCSI HBA implementations, and the Others will have iSCSI and TCP/IP
    > provided by SW.
    >
    > 3.  A remote office that has a VPN (Virtual Private Network) and Firewall
    > to a main IT organization.  Accessing Servers (at the central IT location)
    > with normal Client Server and Web Browser applications.  They want to
    > access iSCSI storage at the central IT location.   iSCSI initiators  are
    > provided via SW TCP/IP and iSCSI, however, if any Servers need to access
    > the remote iSCSI Storage,  they will probably be using HW iSCSI HBAs.
    >
    > 4.  A Central IT organization that has Desktops and Laptops on their
    > Intranet, on their company campus.  They want the Host on the Campus to
    > have access to the iSCSI storage located at various places within the
    > campus.  They will have both iSCSI HBAs in Servers, and iSCSI SW in the
    > Desktops and Laptops.
    >
    > 5.  Several Remote IT locations that have VPNs in/out and Firewalls, and
    > proxies, used for Client Server actions and Web Browsing (in and out).
    > They want to have iSCSI access to  Storage at each other locations.  Each
    > Site has Desktops, Laptops, and Servers that need to access local and
    > remote Storage.  IT organization have local FC, and iSCSI Storage.  (Note:
    > can also use FCIP here as well as iFCP, but lets keep the discussion to
    > iSCSI for now.)  The various Servers have iSCSI HW (with TOEs), and the
    > Desktops/Laptops use SW for the iSCSI implementation.
    >
    >  6.  A SSP (Storage Service Provider) wants to offer its storage
    > for use by
    > various different customers, across the Internet.  The SSP will have an
    > iSCSI HW HBAs that handle the protocols.
    >
    > I think it would be very useful, if we could talk about our "solutions" to
    > the security need in terms of the above environments.  There may be more,
    > but lets first work on the above.
    >
    > The remote offices and the IT organizations have physical security between
    > the IPSec Firewall and the Host, or Storage Device.
    >
    >    We need to understand why we need IPSec/TLS, in each of the above
    >    environments, as a function in SW and/or in a HW adapter.  That is, we
    >    need to understand when just Session Authentication & Authorization are
    >    sufficient, or when we should accept the privacy provided by IPSec in
    >    the VPN/Firewall, vrs the need to have on HBA or SW IPSec/TLS.
    >  Up until
    >    now this has not been clear to me.
    >
    >    We need to understand if an IPSec function in the HBA  or SW,
    > would be a
    >    problem since the Firewall is likely to also be a NAT, in
    > several of the
    >    above environments.
    >
    >    Why would an organization want to bypass their Firewall and go straight
    >    to the Internet just because they had IPSec on the HBA.  What is gained
    >    by that?
    >
    >    If the installation had a Firewall with NAT and they wanted to stay
    >    behind that Firewall, wouldn't the IPSec on the HBA or SW be
    >    problematical?
    >
    >
    >
    > .
    > .
    > .
    > John L. Hufferd
    > Senior Technical Staff Member (STSM)
    > IBM/SSG San Jose Ca
    > (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    > Internet address: hufferd@us.ibm.com
    >
    >
    
    


Home

Last updated: Tue Sep 04 01:05:32 2001
6315 messages in chronological order