[mshulman1980]

I need to deploy a number of outward facing micropartitions on a p570 that my organization wants to be isolated from one another on the network, so in the event that a single lpar is compromised, it's only possible to even communicate with a small subset of servers out there.
My concern is, if all of the LPARs are micropartitions and are using the same VIO pair (many of the lpars will actually be on the same subnet and vlan), is it possible for them to be isolated from one another since interlpar traffic doesn't exit the frame, but rather travels down the backplane, hits the virtual ethernet switch and then gets routed appropriately? Our firewall rules happen at the physical switch level, and as far as I know those rules won't propogate down to the virtual switch.
If the lpars are exposed to one another, it increases our risk factor.
The VIO networking that we use tends to be mostly out of the box SEA failover stuff. However, I'm open to changing that configuration if it will fix this problem.

Thanks in advance for your advice on this.

[cdelgadop]

Hi

Your firewall rules protect your internal servers from bogus comming from outside. Then some filters at physical LAN switches levels may be applied.

Inside your pSeries servers there's a sort of LAN Switch that uses real memory addresses to simulate an ARP table to send data to each virtual ethernet interface, that's why communications are so fast. Now let's say you have a physical Switch in your organization. You can protect communications by creating domains called VLANs, you can also configure so communications between servers in different VLANS is not allowed, by applying some rules to packets travelling those VLANS (as well as your Switch has some TCPIP Layer 3 capabilities).

You can do the same when configuring your Virtual LAN adapter at HMC level in the profile of the client LPAR. You can tell any given Virtual LAN adapter to accpet packets tagged with given VLAN ID. This way you can secure your communications at LAN level. You can also create firewall rules at AIX level and apply best recommendations so you internal OS would be hardenned in case of intrussion.

Hope this helps

[kbr]

you can also maybe think about using lpar without vio... assign 1 (or more) physical card to each partition will simplify your isolation problem...

[vasco]

If the compromised partition is the VIO, then all is wide open.

It's safer to use physical ethernets assigned by the HMC (wich wont have internet access, we hope), it will be slower and more expensive.

The AIX firewall should be used in every lpar to enforce rules about what can came in (this can be done with virtual or physical interfaces).

[Administrator]

Consider cd3lgad0p'sanswer the correct one and ignore the other two. Your network administrator should be able to secure your servers with the information cd3lgad0p provided.

[vasco]

Quote:

Originally Posted by Administrator

Consider cd3lgad0p'sanswer the correct one and ignore the other two. Your network administrator should be able to secure your servers with the information cd3lgad0p provided.

You are joking... right ???

[kbr]

lol :-) consider vasco and mine right and not admin...

[mshulman1980]

Yes, assigning physical NICs to every lpar would be the easiest and probably most secure choice, it isn't really an option since we're due to the fact that our planning group is targetting somewhere from 40-50 lpars on each 570, so there's the issue of how many slots we would need, between at least 2 NICs for each network on each LPAR, getting all of the fibre adapters set up within the VIO, etc etc.

There is a command called viosecure which I am still researching which addresses this problem.

Installing ipsec (or some varient thereof) on each LPAR would probably be a good idea... however I'm not sure that I have the time or expertise to put it out there in some maintainable fashion.

Thanks all for your responses.

[kbr]

For me the best way to secure a lan still using physical interfaces... I understand that your planning make it difficult, but sometimes virtualizing everything is not the best choice...

It's my opinion but I think if you talk with security experts they will say you the same...

if you multiply entry points you multiply risks...

That's a reason why I don't think using csm machine with trusted root account on each nodes is not always a good choice...

But it's my humble opinion... ;-)

[vasco]

Quote:

Originally Posted by mshulman1980

There is a command called viosecure which I am still researching which addresses this problem.

I don't know what that command does, maybe it will help.

Quote:

Originally Posted by mshulman1980

Installing ipsec (or some varient thereof) on each LPAR would probably be a good idea... however I'm not sure that I have the time or expertise to put it out there in some maintainable fashion.

IBM calls IPsec to IP filters, and that's what you need to configure. (# smitty ipsec).
But, as kbr refered there is the spoofing problem (at MAC or TCP/IP level), so maybe the only _good_ answer is really IPSEC (secure encrypted tunnels between the lpars). But you'll have some communications overhead and have to spend aditional RAM and CPU resources.

And managing the PKI infrastruture with tunnels between 40 or 50 lpars wont be a piece of cake.