On Mon, Jun 28, 2010 at 08:45:38AM -0500, Jeremy Charles wrote: > We have servers in the DMZ that the server admins and storage guys would like > to use iSCSI with. The problem that us network/security guys see is that the > iSCSI network is connected to a bunch of servers that are on the inside > network. Since the OS of the server can see the iSCSI network (software > iSCSI initiators), we are concerned that a server on the DMZ could use the > iSCSI network to talk to/attack a server that's on the inside network. In > effect, the iSCSI network could be used to circumvent the firewall. > > To address this issue, we're looking at dedicated iSCSI HBAs (hardware iSCSI > initiators). The thought is that the server OS sees the HBA purely as a disk > device and has no way of talking to the iSCSI network. Thus, if the DMZ > server becomes compromised OR if the server admin tries to "cheat" and get > around the firewall procedures, the iSCSI network will not be a path to the > inside network's servers. >
Why not build a dedicated VLAN that carries only iSCSI traffic to your DMZ and only has the required servers on that network? -j _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
