lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 06 Feb 2011 15:47:39 +0100
From: phocean <0x90@...cean.net>
To: full-disclosure@...ts.grok.org.uk
Subject: vswitches: physical networks obsolete?

Hi all,

I would like to get some feedback about the vswitches and how to deal
with physical network separation.
I have an idea about this but I would like to know the consensus of the
security community to feel more confortable with it.

There is a great article summing up the possible architectures:
http://bradhedlund.com/2010/02/10/vswitch-illusion-dmz-virtualization/

However, Brad carefully doesn't take position on whether physical
separation of the DMZ is still a necessity.
Somehow, as a Cisco employee, he may not be able to...

He just mentions how vswitches are equivalent to VLAN on a physical
switches and that the multiple vswitches on ESX are just an GUI illusion
of physical separation. It is exactly the same code running in memory
whether there is one or an infinite number of vswitches.

Within the comments, one guy says physical networks are obsolete, but
without stuff to support it.

Personally, I am still convinced it is necessary and want to keep it
like this :
Internet--|FW|--[ESX/Nexus for DMZ]---|FW|---[ESX/Nexus for Secured LAN]

I just can't trust the code and the idea of a single exploit
compromising a whole datacenter is just frightening.

I remember a black hat presentation that showed many ways to compromise
the host.
On the other hand, I couldn't find any good specifications or
architecture documents from the editors describing their software
design.
It would be great to know what protections are in place to make exploits
harder (memory management design, NX, randomization, MAC)...

In short, what is your stake on it? Is physical networking obsolete and
what can prove it is?

Regards,
- phocean


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ