| Lee H. Marzke on 17 May 2018 06:25:30 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Fwd: VMware Releases Security Update |
See below. ----- Original Message ----- > From: "Rich Freeman" <r-plug@thefreemanclan.net> > To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> > Sent: Thursday, May 17, 2018 8:20:51 AM > Subject: Re: [PLUG] Fwd: VMware Releases Security Update > On Thu, May 17, 2018 at 7:55 AM brent timothy saner <brent.saner@gmail.com> > wrote: > >> i'd say 9 out of 10 deployments >> don't really need it, though. > > > I guess it depends on what you mean by "need." Your servers will work fine > without SELinux or netfilter rules or POSIX capabilities. Heck, they'll > work fine if you run all your daemons as root too. > > I think the appeal of software-defined networking is that you can > potentially use it to achieve a higher-level of control. I suspect this > becomes more practical if you're doing more > orchestration/software-defined-infrastructure/etc, so that the network > rules are just a consequence of the same rules used to spin up the servers > and load balancing and all that. In the ideal setup servers would only be > able to talk to the other servers they require services from/etc, and this > would be enforced through software firewalls on the servers, and by all the > switches/firewalls/etc on the network, providing defense in depth. With a > central configuration you could compile device-specific rules and push them > out anytime something changes, versus managing every switch individually. Exactly. SDN is more useful when you desire micro-segmentation as a security strategy which white-lists all intra-VM traffic and blocks the rest (defense in depth ) Your using automation and want to create networks and security policies along with VM's, e.g to create new 3-tier application from a blueprint each day for new clients. or You want quicker roll-out of network changes from a central panel, with ability to easily roll-back changes. Now an ugly network change becomes a button push. Lee > > However, your infrastructure will still "work" if your LAN is wide open and > all the controls are on the gateway. It just means that if something gets > into your LAN you don't have defense in depth. > > -- > Rich > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug -- "Between subtle shading and the absence of light lies the nuance of iqlusion..." - Kryptos Lee Marzke, lee@marzke.net http://marzke.net/lee/ IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug