brent timothy saner on 17 May 2018 05:27:34 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fwd: VMware Releases Security Update


On 05/17/2018 08:20 AM, Rich Freeman wrote:
> On Thu, May 17, 2018 at 7:55 AM brent timothy saner <brent.saner@gmail.com>
> wrote:
> 
>> i'd say 9 out of 10 deployments
>> don't really need it, though.
> 
> 
> I guess it depends on what you mean by "need."  Your servers will work fine
> without SELinux or netfilter rules or POSIX capabilities.  Heck, they'll
> work fine if you run all your daemons as root too.
> 
> I think the appeal of software-defined networking is that you can
> potentially use it to achieve a higher-level of control.  I suspect this
> becomes more practical if you're doing more
> orchestration/software-defined-infrastructure/etc, so that the network
> rules are just a consequence of the same rules used to spin up the servers
> and load balancing and all that.  In the ideal setup servers would only be
> able to talk to the other servers they require services from/etc, and this
> would be enforced through software firewalls on the servers, and by all the
> switches/firewalls/etc on the network, providing defense in depth.  With a
> central configuration you could compile device-specific rules and push them
> out anytime something changes, versus managing every switch individually.
> 
> However, your infrastructure will still "work" if your LAN is wide open and
> all the controls are on the gateway.  It just means that if something gets
> into your LAN you don't have defense in depth.
> 

this is pure oversimplification and reduction. you can absolutely
implement host-specific rules and gateway/network-wide rules both
*without* running any sort of software-defined networking as the term is
used.

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug