Accepting a Virtualized Functions (VNFs) into Corporate IT
Hi, Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they refuse to give you root access, or any means necessary to do 'maintenance' kind of work, whether its applying security updates, or any other similar type of task that is needed for you to integrate the Linux VM into your IT eco-system. Would this be an acceptable offering in today's IT from different type of Enterprises (Minux the Googles, Facebooks...etc) ? Thanks
On 28/Nov/16 19:53, Kasper Adel wrote:
Hi,
Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they refuse to give you root access, or any means necessary to do 'maintenance' kind of work, whether its applying security updates, or any other similar type of task that is needed for you to integrate the Linux VM into your IT eco-system.
Would this be an acceptable offering in today's IT from different type of Enterprises (Minux the Googles, Facebooks...etc) ?
Vote with your feet. Mark.
On 28/Nov/16 19:53, Kasper Adel wrote:
Hi,
Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they refuse to give you root access, or any means necessary to do 'maintenance' kind of work, whether its applying security updates, or any other similar type of task that is needed for you to integrate the Linux VM into your IT eco-system.
Would this be an acceptable offering in today's IT from different type of Enterprises (Minux the Googles, Facebooks...etc) ?
As long as the vendor will be held liable for ANY (and I mean it) problem that could happen on my infrastructure.
This is a really interesting thread; my telco clients are mad keen on various solutions of this general form. As a rule they would love to consolidate their various SME and enterprise CPEs down to a single x86 box that gets configured with VNFs from a central VIM or container pool. But they'd also love to sell you all your networking out of that box - and one of the big questions I have is just how many companies would accept "LAN as a Service". It may be even more difficult for SMEs as the cost of going back on the deal is higher the less in-house capability you have. On Tue, Nov 29, 2016 at 8:36 AM, Denis Fondras <xxnog@ledeuns.net> wrote:
On 28/Nov/16 19:53, Kasper Adel wrote:
Hi,
Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they refuse to give you root access, or any means necessary to do 'maintenance' kind of work, whether its applying security updates, or any other similar type of task that is needed for you to integrate the Linux VM into your IT eco-system.
Would this be an acceptable offering in today's IT from different type of Enterprises (Minux the Googles, Facebooks...etc) ?
As long as the vendor will be held liable for ANY (and I mean it) problem that could happen on my infrastructure.
On 29/Nov/16 12:55, Alexander Harrowell wrote:
This is a really interesting thread; my telco clients are mad keen on various solutions of this general form. As a rule they would love to consolidate their various SME and enterprise CPEs down to a single x86 box that gets configured with VNFs from a central VIM or container pool. But they'd also love to sell you all your networking out of that box - and one of the big questions I have is just how many companies would accept "LAN as a Service". It may be even more difficult for SMEs as the cost of going back on the deal is higher the less in-house capability you have.
I'd say it's reasonably common. We have a number of 3rd party companies running the LAN's of our enterprise customers, here in Africa. Mark.
On Nov 28, 2016, at 12:53 PM, Kasper Adel <karim.adel@gmail.com> wrote:
Hi,
Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they refuse to give you root access, or any means necessary to do 'maintenance' kind of work, whether its applying security updates, or any other similar type of task that is needed for you to integrate the Linux VM into your IT eco-system.
Would this be an acceptable offering in today's IT from different type of Enterprises (Minux the Googles, Facebooks...etc) ?
my experiences say that most people would accept this. things like IT are a cost and any way to externalize that cost makes sense. If you look at something like a SMB service, where you have mandatory NID or provider managed CPE/handoff, having a solution pre-built seems like a no-brainer. Of course, if you’re on nanog@ chances are you could build your own pfSense based solution or iptables setup. The question is does it scale, or how do you scale or automate it? There are only so many Mark/Jared/Kasper’s out there. I look at what happened with Hotel networking, with consolidation by a few players like wayport, er AT&T and you have a mostly stable workable product that has all the warts you’d expect from a consistent product delivery. What I’ve observed from our customers, they appreciate consistent service delivery globally, and the same would likely apply to those wanting to purchase a managed firewall service. - jared
On 28/Nov/16 20:10, Jared Mauch wrote:
my experiences say that most people would accept this. things like IT are a cost and any way to externalize that cost makes sense. If you look at something like a SMB service, where you have mandatory NID or provider managed CPE/handoff, having a solution pre-built seems like a no-brainer.
Agreed - if the customer neither has nor wants to maintain the skill-set necessary to operate the solution, then outsourcing it to a vendor (or their partner) means they will want to make sure the customer does not have the chance to mess it up. So yes, if I were in the vendor's/partner's position, I'd lock down root as well. But if you're a power user and have the team for this, I'd walk. Mark.
In a message written on Mon, Nov 28, 2016 at 01:10:29PM -0500, Jared Mauch wrote:
my experiences say that most people would accept this. things like IT are a cost and any way to externalize that cost makes sense. If you look at something like a SMB service, where you have mandatory NID or provider managed CPE/handoff, having a solution pre-built seems like a no-brainer.
Historically, I agree. However I sense the winds are changing on this issue. Various auditors and certification schemes have changed over the past 2-3 years to be much more skeptical of these sorts of devices. They want to see "endpoint security" (AV and/or Fingerprinting) on all devices. To the extent these "appliance" VM's are standard OS's (often CentOS) they are more insistant it should be possible. Where it is not possible, they want to see severe network quarantine, for instance per host firewalls to lock down the devices. I'm not sure why the OP was asking, but if they are developing a new product of this type I might suggest they consider their response to a customer who says they need endpoint security on it before building it. -- Leo Bicknell - bicknell@ufp.org PGP keys at http://www.ufp.org/~bicknell/
On Mon, Nov 28, 2016 at 09:53:41AM -0800, Kasper Adel wrote:
Would this be an acceptable offering in today's IT from different type of Enterprises (Minux the Googles, Facebooks...etc) ?
The comments from others on this thread have some good points to make, but in my experience, even at places that outsource to SaaS, a black box on the internal network isn't going to fly. Cheers, -j
On Mon, Nov 28, 2016 at 09:53:41AM -0800, Kasper Adel wrote:
Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they refuse to give you root access, or any means necessary to do 'maintenance' kind of work, whether its applying security updates, or any other similar type of task that is needed for you to integrate the Linux VM into your IT eco-system.
Thus simultaneously (a) making vendor X a far more attractive target for attacks and (b) ensuring that when -- not if, when -- vendor X has its infrastructure compromised that the attackers will shortly thereafter own part of your network, for a value of "your" equal to "all customers of vendor X". (By the way, this isn't really much of a leap on my part, since it's already happened.) ---rsk
On Mon, Nov 28, 2016 at 01:44:25PM -0500, Rich Kulawiec wrote:
On Mon, Nov 28, 2016 at 09:53:41AM -0800, Kasper Adel wrote:
Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they refuse to give you root access, or any means necessary to do 'maintenance' kind of work, whether its applying security updates, or any other similar type of task that is needed for you to integrate the Linux VM into your IT eco-system.
Thus simultaneously (a) making vendor X a far more attractive target for attacks and (b) ensuring that when -- not if, when -- vendor X has its infrastructure compromised that the attackers will shortly thereafter own part of your network, for a value of "your" equal to "all customers of vendor X".
(By the way, this isn't really much of a leap on my part, since it's already happened.)
Sure. But that's mostly the risk of running a black-box appliance. It doesn't really matter if it's a VM or a piece of hardware. Businesses that are comfortable with physical appliances (running on Intel hardware under the covers) for Router/Firewall/Whatever accept little additional risk if they then run that same code on a VM. (Sure, there's the possibility of the virtual appliance being compromised, and then being used to exploit a hypervisor bug that allows breaking out of the VM. So the risk isn't *zero*. But the overwhelming majority of the risk comes from the decision to run the appliance, not the HW vs. VM decision.) -- Brett
participants (9)
-
Alexander Harrowell
-
Brett Frankenberger
-
Denis Fondras
-
James Downs
-
Jared Mauch
-
Kasper Adel
-
Leo Bicknell
-
Mark Tinka
-
Rich Kulawiec