> >> It won't run over the Internet because of latencies inherent on the
> >> public network.
>
> >at least for some storage applications, latency is not as important
> >as bandwidth. e.g. you can do backups over a high-latency medium
> >as long as your bandwidth is adequate (though recovery from write
> >errors gets a bit tricky).
>
> Backups could go through VPNs, I suppose.
except that you can't assume the presence of a VPN either. you need
authenticity and privacy specified as part of the storage access protocol.
> I suppose infrequently used and low
> priority files could also be accessed over the 'net.
yes, but file access protocols are better for this purpose.
I don't see wanting to mount a raw disk drive
across the public Internet very often.
(except perhaps read-only... virtual cdrom, anyone?)
> >> It will run over incredibly fast Packet over SONET Wide Area
> >> Networks--behind firewalls.
>
> >...it's
> >inappropriate to assume that it will always be used behind firewalls...
>
> If the larger network that is employing this technology doesn't hire a
> decent consultant, you might be right. If they do, it will ALWAYS
> be behind a firewall :-)
any consultant who pretends that firewalls provide security cannot
be described as 'decent'.
> >Firewalls don't help with the majority of security threats...
>
> True, but whether the server accesses the disks via SCSI over TCP or SCSI
> over Fibre Channel, the SERVER is still the weak link.
un, no. SCSI has some inherent length/delay/number-of-stations
limitations. but if the disk is accessible using TCP, there is a
significant probability that it will be accessible from the global
Internet and/or from local threats who have physical access to the
transmission medium, and the storage access protocol needs to assume
that this is the case.
> The transport protocol doesn't create any inherent weaknesses of
> the type you are refering to--e-mail borne viruses, internal hackers, etc.
you're assuming a different threat model than I am. I am indeed
assuming that storage devices will be targed, in addition to servers.
> The server would still be the attack point. Why goodness,
> the server and storage devices could be in a VLAN or something to deny
> direct hack attempts against the storage device
yes, they *could* be. but you cannot assume that they *will* be.
> but the chink in the armor is how hardened is your OS?
there's more than one chink in the armor.
IP-based protocols need to be able to work in the global Internet.
Keith
