RE: iSCSI: Security Enviornments

To: <Black_David@emc.com>, <ips@ece.cmu.edu>
Subject: RE: iSCSI: Security Enviornments
From: "Douglas Otis" <dotis@sanlight.net>
Date: Mon, 19 Feb 2001 11:37:30 -0800
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="iso-8859-1"
Importance: Normal
In-Reply-To: <0F31E5C394DAD311B60C00E029101A0704101538@corpmx9.isus.emc.com>
Sender: owner-ips@ece.cmu.edu

David,

By persistent storage, you mean network accessible storage if suggesting
being able to manage IPS security over the network.  Even the iSNS implies
some of its information may be stored using LDAP, one possible form of
secure persistent network accessible storage.  Is there a desire within this
WG to define an LDAP schema?  Otherwise, every manufacturer will devise
their own methods of persistent security storage.  It seems like a directory
user agent is a small amount of code to add to a storage device providing
security.  It would make initializing these devices a simpler matter in that
you point them to an authoritive LDAP server.  LDAP already provides
features needed for security and extensibility and places management up a
few steps on the evolutionary ladder.

Doug

> > Thank you for the information.  You have made it clear you view
> iSNS is to
> > be the source of authorization.  I fail to understand what limitation
> exists
> > using LDAP directly versus this rehash of DNS and LDAP, but you should
> > understand the importance of asking such dumb questions.
>
> iSNS is by no means the only possible source of this sort of information.
> If someone wants to use LDAP, they should write up and submit a draft
> on how to use it.
>
> >  security management must be able to
> > endure device failure.  This implies security is placed safely somewhere
> > which contains both authentication and authorization information.
>
> The implication is incorrect.  The ability to run the security management
> application on more than one host to manage access control lists in
> persistent storage on the device is a counterexample.
>
> Most access control lists are stored at the point of access rather than
> obtained from an external source.  I think it's up to the WG to decide
> whether to store authorization information at the target vs. obtaining it
> externally.
>
> --David
>
> ---------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 42 South St., Hopkinton, MA  01748
> +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
> black_david@emc.com       Mobile: +1 (978) 394-7754
> ---------------------------------------------------
>
>

References:
- RE: iSCSI: Security Enviornments
  - From: Black_David@emc.com

Prev by Date: RE: iSCSI: Security Enviornments
Next by Date: RE: iSCSI: Security Enviornments
Prev by thread: RE: iSCSI: Security Enviornments
Next by thread: RE: iSCSI: Security Enviornments
Index(es):
- Date
- Thread

Home

Last updated: Tue Sep 04 01:05:31 2001
6315 messages in chronological order