We have servers in the DMZ that the server admins and storage guys would like to use iSCSI with. The problem that us network/security guys see is that the iSCSI network is connected to a bunch of servers that are on the inside network. Since the OS of the server can see the iSCSI network (software iSCSI initiators), we are concerned that a server on the DMZ could use the iSCSI network to talk to/attack a server that's on the inside network. In effect, the iSCSI network could be used to circumvent the firewall.
To address this issue, we're looking at dedicated iSCSI HBAs (hardware iSCSI initiators). The thought is that the server OS sees the HBA purely as a disk device and has no way of talking to the iSCSI network. Thus, if the DMZ server becomes compromised OR if the server admin tries to "cheat" and get around the firewall procedures, the iSCSI network will not be a path to the inside network's servers. Does anybody know of any technical gotchas in this solution? (For completeness... The HBA we purchased for proof-of-concept testing is the QLogic QLE4062C.) (If this doesn't work out well, the storage guys will probably just have to buy another iSCSI array and we'll set up another iSCSI VLAN for them, both dedicated to serving the DMZ hosts.) === Jeremy Charles Epic - Computer and Technology Services Division [email protected] Phone: 608-271-9000 Fax: 608-271-7237
_______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
