Solaris-10 zones on multi-homed server with IPMP : what about security ?

From: rob.de.langhe@belgacom.be
Date: Wed May 17 2006 - 04:44:06 EDT

• Next message: Xavier Mertens: "sendmail crashes with OpenLDAP"
• Previous message: Asiye Yiðit: "Scshutdown give device busy error for global devices mount points"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I have this remark from our security admins, concerned about the
following setup:

A Solaris-10 server will run 2 zones, each should be in a separate VLAN
in DMZ segments.

For sake of redundancy over the NICs, we have 4 NICs in this server :
- 2 NICs connected on switch-ports of VLAN-1, and configured from the
global zone in IPMP (each NIC its own IP, plus a virtual IP over these 2
NICs that is used by the global zone to address that IP range)
- 2 other NICs connected on switch-ports of VLAN-2, and configured from
the global zone in IPMP (each NIC its own IP, plus a virtual IP over
these 2 NICs that is used by the global zone to address that IP range)

Now to have the zones talk in their particular VLAN only, the global
zone would set an extra virtual address on IPMP-group '1' (the NICs
connected in VLAN-1) and assigned that to zone "z1".
Similarly, the global zone would set an extra virtual address on
IPMP-group '2' (the NICs connected in VLAN-2) and assigned that to the
second zone "z2".

----VLAN1------o---------o---
               | |
----VLAN2------+---------+--------o--------o-----
               | | | |
global zone: | | | |
              NIC1 NIC2 NIC3 NIC4
              1.x.x.1 1.x.x.2 2.x.x.1 2.x.x.2
                   |-----| |-------|
                   1.x.x.3 2.x.x.3

for zone-1: 1.x.x.4
for zone-2: 2.x.x.4

This way each zone does not see any communications destined for the
other zone, and vice versa.

The problem lays with the global zone, which becomes in fact multi-homed
in the 2 VLANs : even without acting as a router (should be default
nowadays on Solaris, I feel), it potentially lays under attack from each
VLAN. It should be isolated from any such VLAN, and only have a network
link to manage the zones.
I know, we still have the console to work on the global zone, but
network link is needed as well to steer e.g. backups, monitoring,
software copies, etc.

Has anyone come accross such a situation ?
Which setup has been chosen ?
Can it be realized with/without IPMP ?

Any hints are greatly appreciated !

Rob

**** DISCLAIMER ****
http://www.belgacom.be/maildisclaimer
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Xavier Mertens: "sendmail crashes with OpenLDAP"
• Previous message: Asiye Yiðit: "Scshutdown give device busy error for global devices mount points"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:39:54 EDT