Blade Server Security

Unanswered Question
Jun 1st, 2010

What security issues exist in a  blade server environment that dont exist with standalone servers?

I have a  client who is deathly afraid of going with blade servers because he  provides services in a shared infrastructure and he is afraid of some  sort of data bleedover or compromise of sorts...

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Ganesh Hariharan Tue, 06/01/2010 - 22:49

What security issues exist in a  blade server environment that dont exist with standalone servers?

I have a  client who is deathly afraid of going with blade servers because he  provides services in a shared infrastructure and he is afraid of some  sort of data bleedover or compromise of sorts...

Thanks

Hi,

Just check out the below link on comparism of blade servers with rack mouted servers,

http://www.webopedia.com/quick_ref/blade_servers.asp

Hope to help !!

Ganesh.H

lamav Wed, 06/02/2010 - 07:02

Ganesh:

That link doesnt help at all. Its geared for lay people who are clueless, and it doesnt address security at all anyway.

I am looking for informed, deep dive technical information and perspective regarding blade security.

Reza Sharifi Wed, 06/02/2010 - 14:27

Hi Victor,

In a blade server enforcement you usually run some sort of  VMware with ESX or ESXi and as far as I know (very limited knowledge in this area) the hypervisors are “bare-metal” meaning they get install directly on top of the physical servers and then you partition it to multiple virtual machines.  You also assign memory, disk, CPU per virtual machine and these virtual machine do not interact with one another.  I think hearing from our server guys ESXi gives you the most security.  The virtual deployment in the server envirement is pretty similar to VRF/Logical routers in the routing and switching world..

HTH

Reza

lamav Wed, 06/02/2010 - 19:35

Hi, Reza:

I agree with you that VMWare has a lot of security built in, like vswitch isolation, etc...

But the clients concern is with the physical servers themselves...no VMWare

Reza Sharifi Wed, 06/02/2010 - 19:48

Victor,

When you say no VMWare, you mean for example I have an IBM H-Series chassis with 14 blades in it.  You would just install 14 operating systems on theses 14 blades? on per blade?.  If this is the case then this is even more secure, because each blade has its own connection to the back plane of the chassis. This particular chassis has 14 1Gig connections (one per blade) to the back plane and 4 10Gigs for uplinks.

HTH

Reza

Jon Marshall Thu, 06/03/2010 - 03:27

Victor

It really comes down the same issues as having multiple vlans on the same switch ie. how secure is that compared to having multiple switches one per vlan. Note i'm talking about shared infrastructure here and not Enterprise setup where obviously having one vlan per switch(es) is not practical.

With shared infrastructure you can apply the same sort of arguments as to whether it is better to have dedicated switches for vlans in a secure environment ie. having dedicated switches will always be more secure. The "worry" with blade servers is that because they have their own switches how secure is it to have multiple vlans for different customers and how secure would it be if you wanted to firewall each or some customers vlans.

When we first looked at blade servers this was a concern for us too because we needed to firewall some of the servers and not others and the security dept. quite rightly questioned how that would work when the servers were all contained within the same chassis. And this is exactly the same sort of question as to how secure is a 6500 switch with multiple DMZs firewalled by an FWSM for example.

So as i say it comes down to how comfortable are you using vlans on the same switch to segregate traffic as opposed to having dedicated switches for each vlan. Personally within a DC environment i am fairly happy with that setup and as long as you apply the standard L2 security measures such as don't use vlan 1, use a non-routed native vlan or tag the native vlan if the switch supports it etc.. then it should be fine.

I'm pretty sure you've probably read this paper but just in case -

6500 vlan security white paper

Jon

lamav Thu, 06/03/2010 - 04:51

Jon, thanks for that insightful post.

From my understanding, the clients concern revolves around the switches being physically located in the same chassis, ie physical separation. As Reza stated, the servers are physically isolated from each other via PCB traces and separate physical connectors for each blade on the midplane.

Perhaps running multiple virtual instances of firewall contexts or vrfs on the same physical box is another discusion. In that case, Im not sure how a blade chassis will differ from the separate rack servers with regard to traffic isolation.

Thanks

Victor

Actions

This Discussion