In message <A427D1278F7CD311B1670008C7FAA62AC89F1F(_at_)CORPNT3>,
Brian(_dot_)Rubarts(_at_)born
.com writes:
Encryption will be offloaded to the network interface. ASICs on the NICs
will greatly improve encryption and authentication performance.
all well and good, provided that this encryption and authentication
are actually compatible with that specified by higher level protocols
and the authentication actually meets the needs of users.
(if your network interface needs to use and verify users' credentials,
as opposed to the host's credentials, it might be a stretch.)
A network server will still authenticate user requests. Only the host
needs to be authenticated with the disk/disks.
Up to a point. Yes, there are NICs available today with IPsec on-card.
But given the prevalence of -- how shall I put this? -- single-user
computers with user physical access, no OS protection and crufty software,
you really need user-granularity protection of the file access
requests. NFS-style protection with host authentication works if and only
if the server trusts the remote system to authenticate its users.
That's demonstrably not true today.
Yes, IPsec does, in theory, support user-granularity protection.
That's very hard to do when you're using outboard IPsec implementations,
since you then need some way to pass the user's credentials (generally
a certificate, not a user-id) back to the host, and tie every received
packet to that identity. It can be done, but (speaking as one of the
primary participants in the IPsec development effort) I'm not impressed
with its applicability in this case.
It will run over incredibly fast Packet over SONET Wide Area
Networks--behind firewalls.
...it's
inappropriate to assume that it will always be used behind firewalls...
If the larger network that is employing this technology doesn't hire a
decent
consultant, you might be right. If they do, it will ALWAYS be behind a
firewall :-)
Speaking as someone whose firewall credentials are more or less beyond
reproach, you're wrong -- period. *Many* such uses will be behind
firewalls. Others won't. The large corporate firewall is a dinosaur,
because of extranets, telecommuters, unofficial links through or around
the firewall, etc. Comprehensive firewalls generally can't protect a
network larger than one run by a single systems administrator (or, in
some cases, a systems administration group); otherwise, they don't know
where the links are.
And even when one sysadmin runs the net, what does he or she do when
word comes down from the pointy-haired layer of the stack that there
*will* be a VPN link to a joint venture partner?
Like it says on the (U.S.) toothpaste tubes -- firewalls can be an
effective security measure when used as part of a program
including good network hygiene and decent authentication. But they're
not magic security pixie dust, and they're not a substitute for
authentication in the protocol.
--Steve Bellovin