?
Solved

HP Blade Center in DMZ

Posted on 2013-01-16
8
Medium Priority
?
798 Views
Last Modified: 2013-01-25
Experts,

I need opinions. We would like to stand up a Blade Center in our DMZ. We would like the management connections run to our main network so we can manage the frame itself. The VCs for the blades will follow the traditional set up of a DMZ. they will be run through the firewalls. The blades are stateless. All data is stored on a SAN.

So I'm in a discussion with my network people. They feel that since the chassis lives in the DMZ, all connections to the chassis should stop there and it should be physically cut off from the network.

My position is that the management connections don't "expose" a security risk. Therefore, we would be fine running those connections outside the firewall.

I also know that you can't see nor move the data that lives on SAN via the management ports.

Is there anyone that is using a blade chassis in there DMZ that can shed some light on this?

I have to believe that we are not the only people using a blade chassis this way.

Thanks!
0
Comment
Question by:punchie123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 668 total points
ID: 38786810
I have never used HP blades, but I have used IBM and Dell.

Assuming that HP's setup is like IBM and Dell, the management interface can't  be used to route traffic between the it and the OS's running on the blades.  So as long as the management and OS's IP addresses are on separate subnets you are safe.

The management IP addresses give you access to manage the blade center and in most cases "RDP" type access to the the blades and OS's running on the blades.  That's it.  

And I really doubt that your DMZ is physically cut off from the network, otherwise you would never be able to access it.  My guess is that it is firewalled off.  Putting your management interface on the internal network is safer than allowing say RDP or VNC through the firewall to you can have access to the servers to manage them.
0
 
LVL 22

Assisted Solution

by:robocat
robocat earned 668 total points
ID: 38786819
We have such a setup. Management of the Blade center is entirely in the LAN.

We do have a virtualisation layer (VMWare) on the blades, which adds an extra layer between the phyiscal hardware and the OS. Chances of anything "escaping" from the virtual machines and accessing the LAN through the blade center management seem extremely slim.
0
 
LVL 56

Expert Comment

by:andyalder
ID: 38786888
I can understand their concern, data could be transferred via the iLOs virtual media from a blade in the DMZ to the LAN without going through the firewall.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 17

Assisted Solution

by:TimotiSt
TimotiSt earned 664 total points
ID: 38792595
It seems a bit unlikely for a malware to jump onto virtual media and come inside the LAN, but sure, possible in theory.
Do you have a 2 firewall setup, like
[internal LAN]---[firewall]---[DMZ]---[firewall]---[internet]
or one firewall with 3 interfaces (internal, DMZ and external)?

You can put the management outside the internal firewall for an added layer of protection, just don't put it outside the outer firewall, that would be a bad idea imho.

Tamas
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38793089
Unless your firewall(s) are doing content/file scanning malware can get in copying files from anywhere.  

What should prevent the malware is anti-virus protection on the target, which should protect you even when using virtual media.
0
 
LVL 22

Expert Comment

by:robocat
ID: 38793406
During normal operations, virtual media will not be mounted, so this risc is fairly limited.
Using a virtualisation layer further lowers chances of this happening.
0
 

Author Comment

by:punchie123
ID: 38819470
Guys,

Thanks for all of your answers.

@giltjr - The Dell and IBM chassis's are basically the same set up. The only ports that will be open through the firewall will be specific to the functionality of what's in the DMZ. We will have to go to our datacenter to manage anything in the DMZ.

@robocat - That's what I was trying to tell our security group. To me, it's akin to the management port on a firewall. Traffic passing thru the firewall can not somehow start passing data on the management connection. They're totally separate.

@TimotiSt - [internal LAN]---[firewall]---[DMZ]---[firewall]---[internet] is our set up.
0
 
LVL 56

Expert Comment

by:andyalder
ID: 38819773
Whatever you think about it your security group are right; until they have fully examined all implications of something being open it stays shut. You may say that you're not going to mount a virtual CD through iLO but they wouldn't be very good at their jobs if they took your word for it. You're probably thinking about a low security environment where all the threats are on the outside and forgetting that the biggest threat is the IT staff.

robocat got one thing right though in the mis-spelling or risk, there's lots of RISC chips in that chassis ;)
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Monitor input from a computer is usually nothing special.  In this instance it prevented anyone from using the computer.  This was a preconfiguration that didn't work.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month9 days, 22 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question