| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 07 Feb 2011 14:51:04 -0500 From: "Elazar Broad" <elazar@...hmail.com> To: full-disclosure@...ts.grok.org.uk, 0x90@...cean.net Subject: Re: vswitches: physical networks obsolete? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We grappled with the same problem when setting up a virtual host in order to mimic our production environment for training purposes. Ultimately, we ended up purchasing a separate box for our DMZ host, it is hard to trust separation in software(granted we are relying on the firewall to do the very same thing, however, if you can't trust your firewall to do what it was designed to do, then you have bigger problem's than vSwitches) vs. a 10ft pole(physical segregation). A vSwitch is essentially a like a single physical switch, so... Would you put your internal and DMZ networks on a single physical switch, segregated via VLAN, relying on your FW to handle routing and access control? Now (as you stated) add the fact that virtual host owned = complete ownage whereas say owning a switch still won't (necessarily) own the network(i.e IPSEC etc.), would you still do it? my .02 elazar On Sun, 06 Feb 2011 09:47:39 -0500 phocean <0x90@...cean.net> wrote: >Hi all, > >I would like to get some feedback about the vswitches and how to >deal >with physical network separation. >I have an idea about this but I would like to know the consensus >of the >security community to feel more confortable with it. > >There is a great article summing up the possible architectures: >http://bradhedlund.com/2010/02/10/vswitch-illusion-dmz- >virtualization/ > >However, Brad carefully doesn't take position on whether physical >separation of the DMZ is still a necessity. >Somehow, as a Cisco employee, he may not be able to... > >He just mentions how vswitches are equivalent to VLAN on a >physical >switches and that the multiple vswitches on ESX are just an GUI >illusion >of physical separation. It is exactly the same code running in >memory >whether there is one or an infinite number of vswitches. > >Within the comments, one guy says physical networks are obsolete, >but >without stuff to support it. > >Personally, I am still convinced it is necessary and want to keep >it >like this : >Internet--|FW|--[ESX/Nexus for DMZ]---|FW|---[ESX/Nexus for >Secured LAN] > >I just can't trust the code and the idea of a single exploit >compromising a whole datacenter is just frightening. > >I remember a black hat presentation that showed many ways to >compromise >the host. >On the other hand, I couldn't find any good specifications or >architecture documents from the editors describing their software >design. >It would be great to know what protections are in place to make >exploits >harder (memory management design, NX, randomization, MAC)... > >In short, what is your stake on it? Is physical networking >obsolete and >what can prove it is? > >Regards, >- phocean > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAk1QTSgACgkQi04xwClgpZjyzQP+JOOGuFo3P0zgwzxUvIJfk7an+xwS AL2h7gf2PDgpsd7XjzozjtEXa5dXhyFJMcPdIZIU1skPnggPq0SywzvenGGGOtT2kxAi bj70s3XfdWYSEI8QiQGSrenZmvccBBDFL15APaBNIxn7OUEULyRTuPdAEsEIRvsgkoj/ KXQJ6NY= =dphJ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists