RE: iSCSI: Security Enviornments

["Douglas Otis" <dotis@sanlight.net>]

Julian,

Security at the storage device over various native transports can be seen as
a subset of the security required for an IPS device.  IPS employs security
foreign to storage and this entails a new set of tools required to maintain
these systems, hopefully in an industry consistent manner. Understanding
security needs of the underlying devices is important in the development of
the information base that will be required, but this information is not
complete on its own as it must be coupled with security needed by IPS.  It
makes sense to devise a means of managing this information using network
based tools and then apply this information within IPS protocols as a means
of preventing vendor unique methods being the only solution.  I would
suspect, when it comes to network security, work done by GAA and GSS will
act as a framework of the solution, but the information structures and their
storage will fall to IPS.

http://www.ietf.org/internet-drafts/draft-ietf-cat-gaa-cbind-05.txt

The Generic Authorization and Access-control (GAA) API is an IETF draft (it
is not a ratified IETF standard) for adding authorization to applications.
It really consists of two parts: 1) a standard way of describing
authorization policies, and 2) a standard API for checking such policies
against the security credentials that come from an authentication
process such as GSS-API.

http://www-itg.lbl.gov/security/Akenti/

http://www-itg.lbl.gov/Akenti/docs/servers.html#CA


Doug

> On subject of authorization - I think we would be ill advised to start
> something - there is a considerable body of work being done in
> the security
> area under the name GAA (like GSS) and we might want to use it when ready.
> We can provide them with input and/or help.
>
> Julo
>
>
> Black_David@emc.com on 18/02/2001 23:00:35
>
> Please respond to Black_David@emc.com
>
> To:   dotis@sanlight.net, ips@ece.cmu.edu
> cc:
> Subject:  RE: iSCSI: Security Enviornments
>
>
>
>
> > Thank you for the information.  You have made it clear you view iSNS is
> to
> > be the source of authorization.  I fail to understand what limitation
> exists
> > using LDAP directly versus this rehash of DNS and LDAP, but you should
> > understand the importance of asking such dumb questions.
>
> iSNS is by no means the only possible source of this sort of information.
> If someone wants to use LDAP, they should write up and submit a draft
> on how to use it.
>
> >  security management must be able to
> > endure device failure.  This implies security is placed safely somewhere
> > which contains both authentication and authorization information.
>
> The implication is incorrect.  The ability to run the security management
> application on more than one host to manage access control lists in
> persistent storage on the device is a counterexample.
>
> Most access control lists are stored at the point of access rather than
> obtained from an external source.  I think it's up to the WG to decide
> whether to store authorization information at the target vs. obtaining it
> externally.
>
> --David
>
> ---------------------------------------------------
> David L. Black, Senior Technologist
> EMC Corporation, 42 South St., Hopkinton, MA  01748
> +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
> black_david@emc.com       Mobile: +1 (978) 394-7754
> ---------------------------------------------------
>
>
>
>
>