| Rich Freeman on 17 May 2018 05:21:09 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Fwd: VMware Releases Security Update |
On Thu, May 17, 2018 at 7:55 AM brent timothy saner <brent.saner@gmail.com> wrote: > i'd say 9 out of 10 deployments > don't really need it, though. I guess it depends on what you mean by "need." Your servers will work fine without SELinux or netfilter rules or POSIX capabilities. Heck, they'll work fine if you run all your daemons as root too. I think the appeal of software-defined networking is that you can potentially use it to achieve a higher-level of control. I suspect this becomes more practical if you're doing more orchestration/software-defined-infrastructure/etc, so that the network rules are just a consequence of the same rules used to spin up the servers and load balancing and all that. In the ideal setup servers would only be able to talk to the other servers they require services from/etc, and this would be enforced through software firewalls on the servers, and by all the switches/firewalls/etc on the network, providing defense in depth. With a central configuration you could compile device-specific rules and push them out anytime something changes, versus managing every switch individually. However, your infrastructure will still "work" if your LAN is wide open and all the controls are on the gateway. It just means that if something gets into your LAN you don't have defense in depth. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug