Re: Semi-OT: blade servers, backplanes, and DMZs

[David Lang <david.lang () digitalinsight com>]

you need to look very closly at the particular blade system. I have seen
some that share a lot of infrastructure and cannot be completely isolated
into different security domains, at the other extreme I have seen systems
where the blades are really as independant as seperate boxes would be and
the enclosure is just a way of saving on rack/case expenses.

most are somewhere in between.

when you look at the management interface look to see if this is just a
general purpose network interface with software to provide the management,
or if it is really a centralized console system (I've seen some where the
management port is really just a second interface on the system and I've
seen others where it just connected into a IP based console switch, and
others where it connected to specialized hardware that replaced the
console) a 'one-way' interface like a IP based KVM switch should be
pretty safe, custom hardware may be safe, depending on how much you can
really do to the running OS with it, watch out for anything that claims
you can apply patches over the management connection.

as for network connections, I've seen some blades that have propriatary
communications within them that translate to ethernet on the common port
on the back of the enclosure, I've seen others where each blade has it's
own ports and the enclosure just includes a switch. if it's the second
type look to see what your options are for having a blade NOT connect to a
switch and to have multiple switches in one enclosure.

David Lang

 On Fri, 6 Feb 2004, Phil Burg wrote:

> Date: Fri, 6 Feb 2004 15:51:25 +1100
> From: Phil Burg <Phil.Burg () colesmyer com au>
> To: "'firewall-wizards () honor icsalabs com'"
>     <firewall-wizards () honor icsalabs com>
> Subject: [fw-wiz] Semi-OT:  blade servers, backplanes, and DMZs
>
> Folks
>
> a somewhat off-topic question that I'd appreciate some insight into:
>
> A client has proposed implementing blade servers in a common enclosure on
> two different DMZs
> (obviously with two different security policies in place).
>
> My immediate response is no - the claim that nothing can possibly leak
> across a blade enclosure
> backplane sounds a lot like the old claims about VLANs being effective
> security devices -
> but the client sees an opportunity to save floor space in a data centre, and
> is pushing hard.
>
> If anybody has any practical experience with the engineering aspects of
> blade enclosures that they'd
> care to share, I'd be very grateful.
>
> thanks
> Phil
> --
> Phil Burg
> Senior Security Adviser
> IT S&A Security and Governance
> Coles Myer Ltd
> (03) 9483 7165 / 0409 028 411

-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

Attachment: InterScan_Disclaimer.txt
Description: