|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: Security EnviornmentsJulian, Security at the storage device over various native transports can be seen as a subset of the security required for an IPS device. IPS employs security foreign to storage and this entails a new set of tools required to maintain these systems, hopefully in an industry consistent manner. Understanding security needs of the underlying devices is important in the development of the information base that will be required, but this information is not complete on its own as it must be coupled with security needed by IPS. It makes sense to devise a means of managing this information using network based tools and then apply this information within IPS protocols as a means of preventing vendor unique methods being the only solution. I would suspect, when it comes to network security, work done by GAA and GSS will act as a framework of the solution, but the information structures and their storage will fall to IPS. http://www.ietf.org/internet-drafts/draft-ietf-cat-gaa-cbind-05.txt The Generic Authorization and Access-control (GAA) API is an IETF draft (it is not a ratified IETF standard) for adding authorization to applications. It really consists of two parts: 1) a standard way of describing authorization policies, and 2) a standard API for checking such policies against the security credentials that come from an authentication process such as GSS-API. http://www-itg.lbl.gov/security/Akenti/ http://www-itg.lbl.gov/Akenti/docs/servers.html#CA Doug > On subject of authorization - I think we would be ill advised to start > something - there is a considerable body of work being done in > the security > area under the name GAA (like GSS) and we might want to use it when ready. > We can provide them with input and/or help. > > Julo > > > Black_David@emc.com on 18/02/2001 23:00:35 > > Please respond to Black_David@emc.com > > To: dotis@sanlight.net, ips@ece.cmu.edu > cc: > Subject: RE: iSCSI: Security Enviornments > > > > > > Thank you for the information. You have made it clear you view iSNS is > to > > be the source of authorization. I fail to understand what limitation > exists > > using LDAP directly versus this rehash of DNS and LDAP, but you should > > understand the importance of asking such dumb questions. > > iSNS is by no means the only possible source of this sort of information. > If someone wants to use LDAP, they should write up and submit a draft > on how to use it. > > > security management must be able to > > endure device failure. This implies security is placed safely somewhere > > which contains both authentication and authorization information. > > The implication is incorrect. The ability to run the security management > application on more than one host to manage access control lists in > persistent storage on the device is a counterexample. > > Most access control lists are stored at the point of access rather than > obtained from an external source. I think it's up to the WG to decide > whether to store authorization information at the target vs. obtaining it > externally. > > --David > > --------------------------------------------------- > David L. Black, Senior Technologist > EMC Corporation, 42 South St., Hopkinton, MA 01748 > +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 > black_david@emc.com Mobile: +1 (978) 394-7754 > --------------------------------------------------- > > > > >
Home Last updated: Tue Sep 04 01:05:31 2001 6315 messages in chronological order |