lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1297003659.9878.31.camel@subarashii> Date: Sun, 06 Feb 2011 15:47:39 +0100 From: phocean <0x90@...cean.net> To: full-disclosure@...ts.grok.org.uk Subject: vswitches: physical networks obsolete? Hi all, I would like to get some feedback about the vswitches and how to deal with physical network separation. I have an idea about this but I would like to know the consensus of the security community to feel more confortable with it. There is a great article summing up the possible architectures: http://bradhedlund.com/2010/02/10/vswitch-illusion-dmz-virtualization/ However, Brad carefully doesn't take position on whether physical separation of the DMZ is still a necessity. Somehow, as a Cisco employee, he may not be able to... He just mentions how vswitches are equivalent to VLAN on a physical switches and that the multiple vswitches on ESX are just an GUI illusion of physical separation. It is exactly the same code running in memory whether there is one or an infinite number of vswitches. Within the comments, one guy says physical networks are obsolete, but without stuff to support it. Personally, I am still convinced it is necessary and want to keep it like this : Internet--|FW|--[ESX/Nexus for DMZ]---|FW|---[ESX/Nexus for Secured LAN] I just can't trust the code and the idea of a single exploit compromising a whole datacenter is just frightening. I remember a black hat presentation that showed many ways to compromise the host. On the other hand, I couldn't find any good specifications or architecture documents from the editors describing their software design. It would be great to know what protections are in place to make exploits harder (memory management design, NX, randomization, MAC)... In short, what is your stake on it? Is physical networking obsolete and what can prove it is? Regards, - phocean _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists