Re: Accepting a Virtualized Functions (VNFs) into Corporate IT

[Leo Bicknell <bicknell () ufp org>]

In a message written on Mon, Nov 28, 2016 at 01:10:29PM -0500, Jared Mauch wrote:
> my experiences say that most people would accept this.  things like IT are a cost
> and any way to externalize that cost makes sense.  If you look at something like
> a SMB service, where you have mandatory NID or provider managed CPE/handoff,
> having a solution pre-built seems like a no-brainer.

Historically, I agree.

However I sense the winds are changing on this issue.  Various
auditors and certification schemes have changed over the past 2-3
years to be much more skeptical of these sorts of devices.  They
want to see "endpoint security" (AV and/or Fingerprinting) on all
devices.  To the extent these "appliance" VM's are standard OS's
(often CentOS) they are more insistant it should be possible.  Where
it is not possible, they want to see severe network quarantine, for
instance per host firewalls to lock down the devices.

I'm not sure why the OP was asking, but if they are developing a
new product of this type I might suggest they consider their response
to a customer who says they need endpoint security on it before
building it.

-- 
Leo Bicknell - bicknell () ufp org
PGP keys at http://www.ufp.org/~bicknell/

Attachment: _bin
Description: