Crustacean security

Three of our four cover stories on January 21 were about security. The fourth mentioned security in the second paragraph. Two of the stories focused on the difficulties with using the Internet Engineering Task Force's IP Security technology, but I seem to detect a common, and to me, dangerous thread hidden under some of the comments in the stories.

The first story that caught my eye had the headline "Debate flares over IP storage security." The story was about the cost in performance and dollars of including encryption in storage devices and quoted people who think there are other ways to get a secure system. The major suggestion here is the same as that implied in one of the other cover stories on "easier VPNs": that you can wall off some part of the network with a firewall of one kind or another and only protect communications outside of the firewall. Far too much of the security thinking in the corporate world is based on this crustacean model - hard on the outside, and soft and vulnerable inside.

There are three basic problems with the crustacean security model: people, penetration and perfection. Most studies over the years have shown that many - if not most - violations of network or computer security have been perpetrated or assisted by people inside the organization with legitimate access to the network. Specifically, firewalls do not protect against the people already inside the wall.

In addition, methods all too frequently have been set up to penetrate or bypass the firewall for what seem like legitimate reasons, such as installing a dial-up modem to access a special server from home. Finally, unless the firewall software is perfect and perfectly set up, holes will be found. Too often this means the corporate jewels are lying around for the picking.

But the case of IP-based storage points out a somewhat different issue. Network World's story on this topic rightly points out that security has not been a real concern in Fibre Channel-based storage networks because they are physically separate networks with few hosts on them. Some people think IP-based storage can be constrained in the same way. That is, at best, wishful thinking.

One of the basic results of putting an application on IP is that you are no longer restricted as to where it can be used. Fibre Channel-attached storage can be used only on the local Fibre Channel network, but an IP-attached storage device can, and will be, used from anywhere in the IP network world. Putting storage on IP means that there is no way for a storage device to know what type of environment it is running in, and so it has to be ready to deal with the case of a network with open access from the Internet (i.e., you need full security). If you don't want to deal with that reality then you should stick to Fibre Channel.

Disclaimer: Reality? Harvard?

In any case, the above are my own observations.

Bradner is a consultant with Harvard University's University Information Systems. He can be reached at sob@sobco.com.

Join the newsletter!

Or
Error: Please check your email address.

More about BradnerHarvard UniversityInternet Engineering Task ForceStorage Networks

Show Comments