iSCSI: Security Enviornments

["John Hufferd" <hufferd@us.ibm.com>]

OK Team, it seems to me that we need to talk about what environments we are
trying Secure.   Because, I think we need to sort out which environments
need what type of Security mechanism.

The following are a list of environments that we need to support with iSCSI

1.  A Local LAN Environment, in a small organization, which is not open to
outsiders.  Mostly Desktops and Laptop Systems, and want to pool storage
(but not with FC).  iSCSI initiators (and maybe targets) are provided via
SW TCP/IP and iSCSI.

2.  A Local LAN Environment that is isolated from outsiders via a firewall,
has no storage access to, or from, anyone outside the Firewall.  Mostly
Desktops and Laptops, may be a local Server or two.  They want to pool
storage, (but not with FC). The non Server Systems will have SW TCP/IP and
iSCSI HBA implementations, and the Others will have iSCSI and TCP/IP
provided by SW.

3.  A remote office that has a VPN (Virtual Private Network) and Firewall
to a main IT organization.  Accessing Servers (at the central IT location)
with normal Client Server and Web Browser applications.  They want to
access iSCSI storage at the central IT location.   iSCSI initiators  are
provided via SW TCP/IP and iSCSI, however, if any Servers need to access
the remote iSCSI Storage,  they will probably be using HW iSCSI HBAs.

4.  A Central IT organization that has Desktops and Laptops on their
Intranet, on their company campus.  They want the Host on the Campus to
have access to the iSCSI storage located at various places within the
campus.  They will have both iSCSI HBAs in Servers, and iSCSI SW in the
Desktops and Laptops.

5.  Several Remote IT locations that have VPNs in/out and Firewalls, and
proxies, used for Client Server actions and Web Browsing (in and out).
They want to have iSCSI access to  Storage at each other locations.  Each
Site has Desktops, Laptops, and Servers that need to access local and
remote Storage.  IT organization have local FC, and iSCSI Storage.  (Note:
can also use FCIP here as well as iFCP, but lets keep the discussion to
iSCSI for now.)  The various Servers have iSCSI HW (with TOEs), and the
Desktops/Laptops use SW for the iSCSI implementation.

 6.  A SSP (Storage Service Provider) wants to offer its storage for use by
various different customers, across the Internet.  The SSP will have an
iSCSI HW HBAs that handle the protocols.

I think it would be very useful, if we could talk about our "solutions" to
the security need in terms of the above environments.  There may be more,
but lets first work on the above.

The remote offices and the IT organizations have physical security between
the IPSec Firewall and the Host, or Storage Device.

   We need to understand why we need IPSec/TLS, in each of the above
   environments, as a function in SW and/or in a HW adapter.  That is, we
   need to understand when just Session Authentication & Authorization are
   sufficient, or when we should accept the privacy provided by IPSec in
   the VPN/Firewall, vrs the need to have on HBA or SW IPSec/TLS.  Up until
   now this has not been clear to me.

   We need to understand if an IPSec function in the HBA  or SW, would be a
   problem since the Firewall is likely to also be a NAT, in several of the
   above environments.

   Why would an organization want to bypass their Firewall and go straight
   to the Internet just because they had IPSec on the HBA.  What is gained
   by that?

   If the installation had a Firewall with NAT and they wanted to stay
   behind that Firewall, wouldn't the IPSec on the HBA or SW be
   problematical?



.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
(408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
Internet address: hufferd@us.ibm.com