RE: Security Gateways

[Black_David@emc.com]

> I believe the security requirements for FCIP may be somewhat different
> than those for iSCSI.

I believe that's true, but that the most important differences
are in the area of authentication.  FCIP need only concern itself with
"machine" authentication, as FCIP is fundamentally connecting two switches.
iSCSI is more complex and involves a granularity of authentication
finer than "machine" (e.g., one might be authenticating the backup
application to the tape drive as opposed to authenticating the server
on which the backup application is running).

> While it is possible to secure iSCSI end-to-end,
> it's not possible to do so for FCIP because of the fact that Fibre Channel
> itself has no built-in security protocol.

True, but this actually increases the security requirements for FCIP
because there's no higher level security available.

> A user of FC needs to physically
> secure the FC portion of the SAN in any case so the additional physical
> security for the FCIP device, or the wire between it and a sec gateway, is
> much less of an issue.

This looks like violent agreement with what I've written.  A system
consisting
of [FCIP device, cable, security gateway] provides sufficient security to
comply with the RFC requirements at the external interface of the gateway.
In such a system, it is both highly advisable and feasible to physically
secure the (short) cable between the FCIP device and the gateway.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------