Re: Accepting a Virtualized Functions (VNFs) into Corporate IT

[Brett Frankenberger <rbf+nanog () panix com>]

On Mon, Nov 28, 2016 at 01:44:25PM -0500, Rich Kulawiec wrote:
> On Mon, Nov 28, 2016 at 09:53:41AM -0800, Kasper Adel wrote:
> > Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they
> > refuse to give you root access, or any means necessary to do 'maintenance'
> > kind of work, whether its applying security updates, or any other similar
> > type of task that is needed for you to integrate the Linux VM into your IT
> > eco-system.
>
> Thus simultaneously (a) making vendor X a far more attractive target for
> attacks and (b) ensuring that when -- not if, when -- vendor X has its
> infrastructure compromised that the attackers will shortly thereafter
> own part of your network, for a value of "your" equal to "all customers
> of vendor X".
>
> (By the way, this isn't really much of a leap on my part, since it's
> already happened.)

Sure.  But that's mostly the risk of running a black-box appliance.  It
doesn't really matter if it's a VM or a piece of hardware.  Businesses
that are comfortable with physical appliances (running on Intel
hardware under the covers) for Router/Firewall/Whatever accept little
additional risk if they then run that same code on a VM.

(Sure, there's the possibility of the virtual appliance being
compromised, and then being used to exploit a hypervisor bug that
allows breaking out of the VM.  So the risk isn't *zero*.  But the
overwhelming majority of the risk comes from the decision to run the
appliance, not the HW vs. VM decision.)

     -- Brett