SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: Security Enviornments



    Julian,
    
    Security at the storage device over various native transports can be seen as
    a subset of the security required for an IPS device.  IPS employs security
    foreign to storage and this entails a new set of tools required to maintain
    these systems, hopefully in an industry consistent manner. Understanding
    security needs of the underlying devices is important in the development of
    the information base that will be required, but this information is not
    complete on its own as it must be coupled with security needed by IPS.  It
    makes sense to devise a means of managing this information using network
    based tools and then apply this information within IPS protocols as a means
    of preventing vendor unique methods being the only solution.  I would
    suspect, when it comes to network security, work done by GAA and GSS will
    act as a framework of the solution, but the information structures and their
    storage will fall to IPS.
    
    http://www.ietf.org/internet-drafts/draft-ietf-cat-gaa-cbind-05.txt
    
    The Generic Authorization and Access-control (GAA) API is an IETF draft (it
    is not a ratified IETF standard) for adding authorization to applications.
    It really consists of two parts: 1) a standard way of describing
    authorization policies, and 2) a standard API for checking such policies
    against the security credentials that come from an authentication
    process such as GSS-API.
    
    http://www-itg.lbl.gov/security/Akenti/
    
    http://www-itg.lbl.gov/Akenti/docs/servers.html#CA
    
    
    Doug
    
    > On subject of authorization - I think we would be ill advised to start
    > something - there is a considerable body of work being done in
    > the security
    > area under the name GAA (like GSS) and we might want to use it when ready.
    > We can provide them with input and/or help.
    >
    > Julo
    >
    >
    > Black_David@emc.com on 18/02/2001 23:00:35
    >
    > Please respond to Black_David@emc.com
    >
    > To:   dotis@sanlight.net, ips@ece.cmu.edu
    > cc:
    > Subject:  RE: iSCSI: Security Enviornments
    >
    >
    >
    >
    > > Thank you for the information.  You have made it clear you view iSNS is
    > to
    > > be the source of authorization.  I fail to understand what limitation
    > exists
    > > using LDAP directly versus this rehash of DNS and LDAP, but you should
    > > understand the importance of asking such dumb questions.
    >
    > iSNS is by no means the only possible source of this sort of information.
    > If someone wants to use LDAP, they should write up and submit a draft
    > on how to use it.
    >
    > >  security management must be able to
    > > endure device failure.  This implies security is placed safely somewhere
    > > which contains both authentication and authorization information.
    >
    > The implication is incorrect.  The ability to run the security management
    > application on more than one host to manage access control lists in
    > persistent storage on the device is a counterexample.
    >
    > Most access control lists are stored at the point of access rather than
    > obtained from an external source.  I think it's up to the WG to decide
    > whether to store authorization information at the target vs. obtaining it
    > externally.
    >
    > --David
    >
    > ---------------------------------------------------
    > David L. Black, Senior Technologist
    > EMC Corporation, 42 South St., Hopkinton, MA  01748
    > +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    > black_david@emc.com       Mobile: +1 (978) 394-7754
    > ---------------------------------------------------
    >
    >
    >
    >
    >
    
    


Home

Last updated: Tue Sep 04 01:05:31 2001
6315 messages in chronological order