Re: vswitches: physical networks obsolete?

["Elazar Broad" <elazar () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We grappled with the same problem when setting up a virtual host in
order to mimic our production environment for training purposes.
Ultimately, we ended up purchasing a separate box for our DMZ host,
it is hard to trust separation in software(granted we are relying
on the firewall to do the very same thing, however, if you can't
trust your firewall to do what it was designed to do, then you have
bigger problem's than vSwitches) vs. a 10ft pole(physical
segregation). A vSwitch is essentially a like a single physical
switch, so...

Would you put your internal and DMZ networks on a single physical
switch, segregated via VLAN, relying on your FW to handle routing
and access control? Now (as you stated) add the fact that virtual
host owned = complete ownage whereas say owning a switch still
won't (necessarily) own the network(i.e IPSEC etc.), would you
still do it?

my .02

elazar

On Sun, 06 Feb 2011 09:47:39 -0500 phocean <0x90 () phocean net> wrote:
> Hi all,
>
> I would like to get some feedback about the vswitches and how to
> deal
> with physical network separation.
> I have an idea about this but I would like to know the consensus
> of the
> security community to feel more confortable with it.
>
> There is a great article summing up the possible architectures:
> http://bradhedlund.com/2010/02/10/vswitch-illusion-dmz-
> virtualization/
>
> However, Brad carefully doesn't take position on whether physical
> separation of the DMZ is still a necessity.
> Somehow, as a Cisco employee, he may not be able to...
>
> He just mentions how vswitches are equivalent to VLAN on a
> physical
> switches and that the multiple vswitches on ESX are just an GUI
> illusion
> of physical separation. It is exactly the same code running in
> memory
> whether there is one or an infinite number of vswitches.
>
> Within the comments, one guy says physical networks are obsolete,
> but
> without stuff to support it.
>
> Personally, I am still convinced it is necessary and want to keep
> it
> like this :
> Internet--|FW|--[ESX/Nexus for DMZ]---|FW|---[ESX/Nexus for
> Secured LAN]
>
> I just can't trust the code and the idea of a single exploit
> compromising a whole datacenter is just frightening.
>
> I remember a black hat presentation that showed many ways to
> compromise
> the host.
> On the other hand, I couldn't find any good specifications or
> architecture documents from the editors describing their software
> design.
> It would be great to know what protections are in place to make
> exploits
> harder (memory management design, NX, randomization, MAC)...
>
> In short, what is your stake on it? Is physical networking
> obsolete and
> what can prove it is?
>
> Regards,
> - phocean
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAk1QTSgACgkQi04xwClgpZjyzQP+JOOGuFo3P0zgwzxUvIJfk7an+xwS
AL2h7gf2PDgpsd7XjzozjtEXa5dXhyFJMcPdIZIU1skPnggPq0SywzvenGGGOtT2kxAi
bj70s3XfdWYSEI8QiQGSrenZmvccBBDFL15APaBNIxn7OUEULyRTuPdAEsEIRvsgkoj/
KXQJ6NY=
=dphJ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/