RE: iSCSI: Security Enviornments

["Douglas Otis" <dotis@sanlight.net>]

John,

Consider aspects of management.  If the SCSI controller responds to client
with lists of accessible devices, how is the SCSI controller informed?  How
is access managed in a uniform manner?

If VPN is used, privacy is not needed within the SCSI transport.

Is TLS secure for a SAN?

Switches offer privacy if the LAN is physically secure resulting in little
difference between FC and Ethernet.

If the device is for a mobile notebook, as example, authentication offers
adequate security.

If the SCSI transport is implemented in software, is privacy practical?

With many applications not requiring privacy, why mandate privacy?  Even a
software only implementation will require additional memory.

Doug




> OK Team, it seems to me that we need to talk about what
> environments we are
> trying Secure.   Because, I think we need to sort out which environments
> need what type of Security mechanism.
>
> The following are a list of environments that we need to support
> with iSCSI
>
> 1.  A Local LAN Environment, in a small organization, which is not open to
> outsiders.  Mostly Desktops and Laptop Systems, and want to pool storage
> (but not with FC).  iSCSI initiators (and maybe targets) are provided via
> SW TCP/IP and iSCSI.
>
> 2.  A Local LAN Environment that is isolated from outsiders via a
> firewall,
> has no storage access to, or from, anyone outside the Firewall.  Mostly
> Desktops and Laptops, may be a local Server or two.  They want to pool
> storage, (but not with FC). The non Server Systems will have SW TCP/IP and
> iSCSI HBA implementations, and the Others will have iSCSI and TCP/IP
> provided by SW.
>
> 3.  A remote office that has a VPN (Virtual Private Network) and Firewall
> to a main IT organization.  Accessing Servers (at the central IT location)
> with normal Client Server and Web Browser applications.  They want to
> access iSCSI storage at the central IT location.   iSCSI initiators  are
> provided via SW TCP/IP and iSCSI, however, if any Servers need to access
> the remote iSCSI Storage,  they will probably be using HW iSCSI HBAs.
>
> 4.  A Central IT organization that has Desktops and Laptops on their
> Intranet, on their company campus.  They want the Host on the Campus to
> have access to the iSCSI storage located at various places within the
> campus.  They will have both iSCSI HBAs in Servers, and iSCSI SW in the
> Desktops and Laptops.
>
> 5.  Several Remote IT locations that have VPNs in/out and Firewalls, and
> proxies, used for Client Server actions and Web Browsing (in and out).
> They want to have iSCSI access to  Storage at each other locations.  Each
> Site has Desktops, Laptops, and Servers that need to access local and
> remote Storage.  IT organization have local FC, and iSCSI Storage.  (Note:
> can also use FCIP here as well as iFCP, but lets keep the discussion to
> iSCSI for now.)  The various Servers have iSCSI HW (with TOEs), and the
> Desktops/Laptops use SW for the iSCSI implementation.
>
>  6.  A SSP (Storage Service Provider) wants to offer its storage
> for use by
> various different customers, across the Internet.  The SSP will have an
> iSCSI HW HBAs that handle the protocols.
>
> I think it would be very useful, if we could talk about our "solutions" to
> the security need in terms of the above environments.  There may be more,
> but lets first work on the above.
>
> The remote offices and the IT organizations have physical security between
> the IPSec Firewall and the Host, or Storage Device.
>
>    We need to understand why we need IPSec/TLS, in each of the above
>    environments, as a function in SW and/or in a HW adapter.  That is, we
>    need to understand when just Session Authentication & Authorization are
>    sufficient, or when we should accept the privacy provided by IPSec in
>    the VPN/Firewall, vrs the need to have on HBA or SW IPSec/TLS.
>  Up until
>    now this has not been clear to me.
>
>    We need to understand if an IPSec function in the HBA  or SW,
> would be a
>    problem since the Firewall is likely to also be a NAT, in
> several of the
>    above environments.
>
>    Why would an organization want to bypass their Firewall and go straight
>    to the Internet just because they had IPSec on the HBA.  What is gained
>    by that?
>
>    If the installation had a Firewall with NAT and they wanted to stay
>    behind that Firewall, wouldn't the IPSec on the HBA or SW be
>    problematical?
>
>
>
> .
> .
> .
> John L. Hufferd
> Senior Technical Staff Member (STSM)
> IBM/SSG San Jose Ca
> (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
> Internet address: hufferd@us.ibm.com
>
>