Firewall Wizards mailing list archives
Re: Semi-OT: blade servers, backplanes, and DMZs
From: David Lang <david.lang () digitalinsight com>
Date: Sun, 8 Feb 2004 23:29:54 -0800 (PST)
you need to look very closly at the particular blade system. I have seen some that share a lot of infrastructure and cannot be completely isolated into different security domains, at the other extreme I have seen systems where the blades are really as independant as seperate boxes would be and the enclosure is just a way of saving on rack/case expenses. most are somewhere in between. when you look at the management interface look to see if this is just a general purpose network interface with software to provide the management, or if it is really a centralized console system (I've seen some where the management port is really just a second interface on the system and I've seen others where it just connected into a IP based console switch, and others where it connected to specialized hardware that replaced the console) a 'one-way' interface like a IP based KVM switch should be pretty safe, custom hardware may be safe, depending on how much you can really do to the running OS with it, watch out for anything that claims you can apply patches over the management connection. as for network connections, I've seen some blades that have propriatary communications within them that translate to ethernet on the common port on the back of the enclosure, I've seen others where each blade has it's own ports and the enclosure just includes a switch. if it's the second type look to see what your options are for having a blade NOT connect to a switch and to have multiple switches in one enclosure. David Lang On Fri, 6 Feb 2004, Phil Burg wrote:
Date: Fri, 6 Feb 2004 15:51:25 +1100 From: Phil Burg <Phil.Burg () colesmyer com au> To: "'firewall-wizards () honor icsalabs com'" <firewall-wizards () honor icsalabs com> Subject: [fw-wiz] Semi-OT: blade servers, backplanes, and DMZs Folks a somewhat off-topic question that I'd appreciate some insight into: A client has proposed implementing blade servers in a common enclosure on two different DMZs (obviously with two different security policies in place). My immediate response is no - the claim that nothing can possibly leak across a blade enclosure backplane sounds a lot like the old claims about VLANs being effective security devices - but the client sees an opportunity to save floor space in a data centre, and is pushing hard. If anybody has any practical experience with the engineering aspects of blade enclosures that they'd care to share, I'd be very grateful. thanks Phil -- Phil Burg Senior Security Adviser IT S&A Security and Governance Coles Myer Ltd (03) 9483 7165 / 0409 028 411
-- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Brian W. Kernighan
Attachment:
InterScan_Disclaimer.txt
Description:
Current thread:
- Semi-OT: blade servers, backplanes, and DMZs Phil Burg (Feb 06)
- Re: Semi-OT: blade servers, backplanes, and DMZs Christopher Hicks (Feb 07)
- Re: Semi-OT: blade servers, backplanes, and DMZs George Capehart (Feb 08)
- Re: Semi-OT: blade servers, backplanes, and DMZs David Lang (Feb 09)