punchie123
asked on
HP Blade Center in DMZ
Experts,
I need opinions. We would like to stand up a Blade Center in our DMZ. We would like the management connections run to our main network so we can manage the frame itself. The VCs for the blades will follow the traditional set up of a DMZ. they will be run through the firewalls. The blades are stateless. All data is stored on a SAN.
So I'm in a discussion with my network people. They feel that since the chassis lives in the DMZ, all connections to the chassis should stop there and it should be physically cut off from the network.
My position is that the management connections don't "expose" a security risk. Therefore, we would be fine running those connections outside the firewall.
I also know that you can't see nor move the data that lives on SAN via the management ports.
Is there anyone that is using a blade chassis in there DMZ that can shed some light on this?
I have to believe that we are not the only people using a blade chassis this way.
Thanks!
I need opinions. We would like to stand up a Blade Center in our DMZ. We would like the management connections run to our main network so we can manage the frame itself. The VCs for the blades will follow the traditional set up of a DMZ. they will be run through the firewalls. The blades are stateless. All data is stored on a SAN.
So I'm in a discussion with my network people. They feel that since the chassis lives in the DMZ, all connections to the chassis should stop there and it should be physically cut off from the network.
My position is that the management connections don't "expose" a security risk. Therefore, we would be fine running those connections outside the firewall.
I also know that you can't see nor move the data that lives on SAN via the management ports.
Is there anyone that is using a blade chassis in there DMZ that can shed some light on this?
I have to believe that we are not the only people using a blade chassis this way.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I can understand their concern, data could be transferred via the iLOs virtual media from a blade in the DMZ to the LAN without going through the firewall.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Unless your firewall(s) are doing content/file scanning malware can get in copying files from anywhere.
What should prevent the malware is anti-virus protection on the target, which should protect you even when using virtual media.
What should prevent the malware is anti-virus protection on the target, which should protect you even when using virtual media.
During normal operations, virtual media will not be mounted, so this risc is fairly limited.
Using a virtualisation layer further lowers chances of this happening.
Using a virtualisation layer further lowers chances of this happening.
ASKER
Guys,
Thanks for all of your answers.
@giltjr - The Dell and IBM chassis's are basically the same set up. The only ports that will be open through the firewall will be specific to the functionality of what's in the DMZ. We will have to go to our datacenter to manage anything in the DMZ.
@robocat - That's what I was trying to tell our security group. To me, it's akin to the management port on a firewall. Traffic passing thru the firewall can not somehow start passing data on the management connection. They're totally separate.
@TimotiSt - [internal LAN]---[firewall]---[DMZ]-
Thanks for all of your answers.
@giltjr - The Dell and IBM chassis's are basically the same set up. The only ports that will be open through the firewall will be specific to the functionality of what's in the DMZ. We will have to go to our datacenter to manage anything in the DMZ.
@robocat - That's what I was trying to tell our security group. To me, it's akin to the management port on a firewall. Traffic passing thru the firewall can not somehow start passing data on the management connection. They're totally separate.
@TimotiSt - [internal LAN]---[firewall]---[DMZ]-
Whatever you think about it your security group are right; until they have fully examined all implications of something being open it stays shut. You may say that you're not going to mount a virtual CD through iLO but they wouldn't be very good at their jobs if they took your word for it. You're probably thinking about a low security environment where all the threats are on the outside and forgetting that the biggest threat is the IT staff.
robocat got one thing right though in the mis-spelling or risk, there's lots of RISC chips in that chassis ;)
robocat got one thing right though in the mis-spelling or risk, there's lots of RISC chips in that chassis ;)