Hi,
Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they
refuse to give you root access, or any means necessary to do 'maintenance'
kind of work, whether its applying security updates, or any other similar
type of task that is needed for you to integrate the Linux VM into your IT
eco-system.
Would this be an acceptable offering in today's IT from different type of
Enterprises (Minux the Googles, Facebooks...etc) ?
Thanks
Vote with your feet.
Mark.
my experiences say that most people would accept this. things like IT are a cost
and any way to externalize that cost makes sense. If you look at something like
a SMB service, where you have mandatory NID or provider managed CPE/handoff,
having a solution pre-built seems like a no-brainer.
Of course, if you’re on nanog@ chances are you could build your own pfSense based
solution or iptables setup. The question is does it scale, or how do you scale
or automate it? There are only so many Mark/Jared/Kasper’s out there.
I look at what happened with Hotel networking, with consolidation by a few players
like wayport, er AT&T and you have a mostly stable workable product that has
all the warts you’d expect from a consistent product delivery.
What I’ve observed from our customers, they appreciate consistent service delivery
globally, and the same would likely apply to those wanting to purchase a managed
firewall service.
- jared
Agreed - if the customer neither has nor wants to maintain the skill-set
necessary to operate the solution, then outsourcing it to a vendor (or
their partner) means they will want to make sure the customer does not
have the chance to mess it up.
So yes, if I were in the vendor's/partner's position, I'd lock down root
as well.
But if you're a power user and have the team for this, I'd walk.
Mark.
The comments from others on this thread have some good points to make,
but in my experience, even at places that outsource to SaaS, a black
box on the internal network isn't going to fly.
Cheers,
-j
Thus simultaneously (a) making vendor X a far more attractive target for
attacks and (b) ensuring that when -- not if, when -- vendor X has its
infrastructure compromised that the attackers will shortly thereafter
own part of your network, for a value of "your" equal to "all customers
of vendor X".
(By the way, this isn't really much of a leap on my part, since it's
already happened.)
---rsk
Sure. But that's mostly the risk of running a black-box appliance. It
doesn't really matter if it's a VM or a piece of hardware. Businesses
that are comfortable with physical appliances (running on Intel
hardware under the covers) for Router/Firewall/Whatever accept little
additional risk if they then run that same code on a VM.
(Sure, there's the possibility of the virtual appliance being
compromised, and then being used to exploit a hypervisor bug that
allows breaking out of the VM. So the risk isn't *zero*. But the
overwhelming majority of the risk comes from the decision to run the
appliance, not the HW vs. VM decision.)
-- Brett
As long as the vendor will be held liable for ANY (and I mean it) problem that
could happen on my infrastructure.
This is a really interesting thread; my telco clients are mad keen on
various solutions of this general form. As a rule they would love to
consolidate their various SME and enterprise CPEs down to a single x86 box
that gets configured with VNFs from a central VIM or container pool. But
they'd also love to sell you all your networking out of that box - and one
of the big questions I have is just how many companies would accept "LAN as
a Service". It may be even more difficult for SMEs as the cost of going
back on the deal is higher the less in-house capability you have.
I'd say it's reasonably common.
We have a number of 3rd party companies running the LAN's of our
enterprise customers, here in Africa.
Mark.
In a message written on Mon, Nov 28, 2016 at 01:10:29PM -0500, Jared Mauch wrote:
my experiences say that most people would accept this. things like IT are a cost
and any way to externalize that cost makes sense. If you look at something like
a SMB service, where you have mandatory NID or provider managed CPE/handoff,
having a solution pre-built seems like a no-brainer.
Historically, I agree.
However I sense the winds are changing on this issue. Various
auditors and certification schemes have changed over the past 2-3
years to be much more skeptical of these sorts of devices. They
want to see "endpoint security" (AV and/or Fingerprinting) on all
devices. To the extent these "appliance" VM's are standard OS's
(often CentOS) they are more insistant it should be possible. Where
it is not possible, they want to see severe network quarantine, for
instance per host firewalls to lock down the devices.
I'm not sure why the OP was asking, but if they are developing a
new product of this type I might suggest they consider their response
to a customer who says they need endpoint security on it before
building it.