| Lee H. Marzke on 6 Jul 2017 19:37:14 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Fios Quantum Gateway Router / Cabling type |
See below ----- Original Message ----- > From: "Vossen JP" <jp@jpsdomain.org> > To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> > Sent: Thursday, July 6, 2017 8:58:31 PM > Subject: Re: [PLUG] Fios Quantum Gateway Router / Cabling type > On 07/06/2017 06:05 PM, Lee H. Marzke wrote: >> I forgot to say, that I now connect FIOS ONT Ethernet directly to a Cisco >> switch, put that ingress >> traffic on a custom VLAN, and send it to the pfSense VM in my server cluster. >> So I have >> no need for any unreliable consumer devices in the network path. > > But you DO have to trust that malicious traffic can't jump out of the > VLAN and/or virtualization on the way to or from your FW! I'll grant > that it's a small risk, but I'd never put guests in different security > classifications on the same VM hypervisor, or trust a VLAN for that. So the traffic can't really jump can it? But a malicious endpoint that intercepted the traffic, could disregard the vLAN. So we are concerned about all the places that external FIOS packet can go, and where malicious or compromised endpoints can get at it. I believe VMware has government certification that verify that. The old days of requiring an air-gap between different security levels is long gone - and VMware NSX provides much more security than air gap. Basically every virtual VM NIC has firewall filtering applied as traffic leaves/enters the virtual nic, and they definitely allow different VM security levels mixed on each Hypervisor by design. The firewall rules on that Nic automatically follow the VM as it live-migrates between hosts. I think initially VMware had to bring in it's own security experts to quite a few PCI and other audits to dispel the old air-gap security methods previously used. In the end 'micro-segmentation' provided by NSX is much more secure. Digressing a bit - NSX firewall rules are written in terms of groups of VM's by name or by tag, and you never have to deal with the actual IP's in the rule - all the lower level IP rules are written automatically on-the-fly even as the VM moves around in the cluster or has it's IP changed. This leads to tremendous simplification of firewall rules you need to write. Now I'll grant you my simple vLAN is not as secure as vxLAN and NSX firewalling each VM nic, but unless my Cisco switch is NSA infected or otherwise compromised, those packets are not blasted out other switchports and only travel to the ESXi host(s) and then to the VM's connected to the firewalls' port on the dvSwitch ( just the FW ) so it's not to easy for packets to jump out as they just are not sent to many places. And yes VMware paid the bucks to verify / certify this. I guess your right that in general , other Hypervisors may not be trusted to this level. FYI - NSX uses vxLan standard for separation which has 4M total networks instead of only 4096 vLAN's, but is basically and advanced form of vLAN's - and mixed security is allowed on the same VM host ( e.g. maybe not government compartmentalized separation but PCI and non-PCI can certainly live right next to each on the same host ). FYI - NSX is VMware's software defined network overlay technology, consisting of distributed routing and firewalling in each hypervisor ( as part of a distributed virtual switch that spans all hosts ), and also edge services such as DHCP, VPN and Load balancer for north/south traffic in/out of the data center. > > My ONT terminates in Ethernet, to a physical firewall (SmallWall) using > physical wires. Wi-fi is another physical segment from the FW, as is > VoIP.ms. I think I have a spare segment for use as a DMZ, if needed,seperated > but it's been a long time since I needed to know that. > > Later, > JP > -- ------------------------------------------------------------------- > JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/ > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug -- "Between subtle shading and the absence of light lies the nuance of iqlusion..." - Kryptos Lee Marzke, lee@marzke.net http://marzke.net/lee/ IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug