VLAN security on virtual ethernet - Aix

This is a discussion on VLAN security on virtual ethernet - Aix ; I need to deploy a number of outward facing micropartitions on a p570 that my organization wants to be isolated from one another on the network, so in the event that a single lpar is compromised, it's only possible to ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: VLAN security on virtual ethernet

  1. VLAN security on virtual ethernet

    I need to deploy a number of outward facing micropartitions on a p570
    that my organization wants to be isolated from one another on the
    network, so in the event that a single lpar is compromised, it's only
    possible to even communicate with a small subset of servers out there.
    My concern is, if all of the LPARs are micropartitions and are using
    the same VIO pair (many of the lpars will actually be on the same
    subnet and vlan), is it possible for them to be isolated from one
    another since interlpar traffic doesn't exit the frame, but rather
    travels down the backplane, hits the virtual ethernet switch and then
    gets routed appropriately? Our firewall rules happen at the physical
    switch level, and as far as I know those rules won't propogate down to
    the virtual switch.
    If the lpars are exposed to one another, it increases our risk factor.
    The VIO networking that we use tends to be mostly out of the box SEA
    failover stuff. However, I'm open to changing that configuration if it
    will fix this problem.

    Thanks in advance for your advice on this.

  2. Re: VLAN security on virtual ethernet

    On 4 Dec, 00:19, "michael.shulman" wrote:
    > I need to deploy a number of outward facing micropartitions on a p570
    > that my organization wants to be isolated from one another on the
    > network, so in the event that a single lpar is compromised, it's only
    > possible to even communicate with a small subset of servers out there.
    > My concern is, if all of the LPARs are micropartitions and are using
    > the same VIO pair (many of the lpars will actually be on the same
    > subnet and vlan), is it possible for them to be isolated from one
    > another since interlpar traffic doesn't exit the frame, but rather
    > travels down the backplane, hits the virtual ethernet switch and then
    > gets routed appropriately? Our firewall rules happen at the physical
    > switch level, and as far as I know those rules won't propogate down to
    > the virtual switch.
    > If the lpars are exposed to one another, it increases our risk factor.
    > The VIO networking that we use tends to be mostly out of the box SEA
    > failover stuff. However, I'm open to changing that configuration if it
    > will fix this problem.
    >
    > Thanks in advance for your advice on this.



    Hi,


    Have you seen this whitepaper. It may be of some use.

    http://www-03.ibm.com/systems/p/hard...r_security.pdf

    Scott


  3. Re: VLAN security on virtual ethernet

    On Dec 4, 8:10 am, scott wrote:
    > On 4 Dec, 00:19, "michael.shulman" wrote:
    >
    >
    >
    >
    >
    > > I need to deploy a number of outward facing micropartitions on a p570
    > > that my organization wants to be isolated from one another on the
    > > network, so in the event that a single lpar is compromised, it's only
    > > possible to even communicate with a small subset of servers out there.
    > > My concern is, if all of the LPARs are micropartitions and are using
    > > the same VIO pair (many of the lpars will actually be on the same
    > > subnet and vlan), is it possible for them to be isolated from one
    > > another since interlpar traffic doesn't exit the frame, but rather
    > > travels down the backplane, hits the virtual ethernet switch and then
    > > gets routed appropriately? Our firewall rules happen at the physical
    > > switch level, and as far as I know those rules won't propogate down to
    > > the virtual switch.
    > > If the lpars are exposed to one another, it increases our risk factor.
    > > The VIO networking that we use tends to be mostly out of the box SEA
    > > failover stuff. However, I'm open to changing that configuration if it
    > > will fix this problem.

    >
    > > Thanks in advance for your advice on this.

    >
    > Hi,
    >
    > Have you seen this whitepaper. It may be of some use.
    >
    > http://www-03.ibm.com/systems/p/hard...r_security.pdf
    >
    > Scott- Hide quoted text -
    >
    > - Show quoted text -


    Nice doc for the p690, but as far as the OP is concerned, it is non
    sequitur.

    If you absolutely don't need to communicate between these LPARs, you
    may consider implementing ipsec (supported) or ipf (not supported)
    rules to block that potential inter-partition traffic. I have had
    issues with ipf causing kernel panics, so ipsec would be the way to
    go. You would have the flexibility to narrow down the traffic you
    desire and block all other traffic.

    I tested some interpartition traffic both between VIO client LPARs and
    between a client LPAR and the VIO server and the "virtual switch"
    segregates the traffic nicely. Even though the VIO server contains
    the physical adapters for the clients use, I don't see any ping
    traffic between client lpars on the VIO server. I don't think you
    could pick up any traffic unless it is source/destination traffic (the
    usual broadcast and arp requests exempted, of course). Tcpdump does
    not allow promiscuous sniffing on any other adapter except the one
    that was configured with mktcpip. You may be OK here.

    In short, I don't think you have anything to worry about if your
    concern is about LPARs vs standalone servers. If you want to
    segregate traffic at all costs, then ipsec is the way to go.

  4. Re: VLAN security on virtual ethernet

    On Wed, 5 Dec 2007 06:43:21 -0800 (PST), Scott
    wrote:

    >On Dec 4, 8:10 am, scott wrote:
    >> On 4 Dec, 00:19, "michael.shulman" wrote:
    >>
    >> > I need to deploy a number of outward facing micropartitions on a p570
    >> > that my organization wants to be isolated from one another on the
    >> > network, so in the event that a single lpar is compromised, it's only
    >> > possible to even communicate with a small subset of servers out there.


    If you want the micropartitions (or subsets of the micropartitions) to
    be isolated from *each other* then the should be on different subnets
    (and, technically, VLANs to be really sure) with no routes between
    them and them and the rest of the world that don't go through a
    firewall under your administrative control. Fundamentally, this is no
    different than what you would do for standalone machines.

    If your question is whether a VIO server can safely proxy the traffic
    (that is, provide virtual ethernet connectivity) from these
    micropartitions and maintain the separation your want, the answer
    (IMHO) is "yes". You should review the security evaluation done by the
    (German) Federal Office for Information Security (BSI):
    http://www.bsi.de/zertifiz/zert/reporte/0385b.pdf

    -- David



+ Reply to Thread