[Dshield] Blades, VLANs and DMZs

jimmie mac jmac at securityninjamonkeys.com
Tue Oct 19 16:54:48 GMT 2004

The blade servers that I have worked with are 802.1q capable,
allowing you to trunk multiple VLANs into the internal
switches, then break those VLANs out onto the individual servers.

The blade chassis has an in-band configuration IP that manages
the blade chassis and the switches inside of the chassis.  The
servers (blades) inside the chassis cannot communicate to the
chassis in any way than going to the in-band IP address, which
is subject to normal IP restrictions.

In a more straightforward answer:  The servers in a chassis
have no out of band means to talk to the chassis controller. 
The IP address the indivual blade servers sit on will be
subject to the same Layer 3 traffic restrictions that any
other IP on that subject would be subject to.

That being said, if you trunk into the chassis, that trunk
must terminate at a layer 2 switch that in turn must be
attached to a router.  It is imperative that you make sure
that you engineer your network so that a) Your blade servers
have all the VLAN access that they require and b) that you can
still apply ACL and Firewall protection to those VLANs.



Does anyone have any policies regarding blade or switch
in DMZ environments?  Let's say a simple network with public
(unfiltered internet/outside firewall), DMZ, and internal.  
I've seen
some organizations with policies that require that a separate
switches be used for each segment.  While other companies use
one big
switch and VLAN.  The thinking behind the separate physical
switch is
to guard against VLAN configuration errors, or cable mistakes,
side-stepping the firewall.  Of course VLANs within a segment
user segments) is not an issue.

My concern is actually a little different, but somewhat
related.  One
client is now starting to use a lot of blade servers.  The
blades all
share a GB backplane in the blade cabinet.  But they connect
up to the
network using a built in switch, which can be VLANd.   Some of the
servers in this blade cabinet are on the internal network. 
They know
want to add a blade that is in the DMZ network and create a VLAN
within the blade switch.

I guess I don't know enough about how the blades work yet. 
But I have
some (possibly unjustified) concerns that mixing a DMZ server and
internal servers in a single blade rack could open up
exposures.  If a
DMZ server is compromised, would there be ways to jump to the
network, without going through the firewall?

Sorry if this isn't a clear question.  Just thoughts that have
swirling around in my head.

More information about the list mailing list