Good People, I am a long time reader, novice poster, and I have a question for you.

I have a environment where I want to put a single physical filer across two distinct networks (one internal and once external).  Using v-filers I want to provide services for both networks.  Generally I would use two physical filers for this, so attacks on the physical filer in the external network would only compromise storage in the external network.

In using a single physical filer, and using v-filers, I am hoping to achieve the same results, the issue is however that I can still get to v-filer0, and thus the filer as a whole from the IP address on the interface that is hosting the v-filers provisioned to the external network.  Thus providing an attack vector to something that before (with two physical filers) was completely inaccessible.

I see two possible solutions that I am not sure are implementable:

(1) Somehow creating the interface connected to the external network without an IP address, thus v-filers would have IP address on that interface, and be accessible, but the v-filer0 would not be accessible, as there is no IP to access it, or

(2) Somehow deny ssh to v-filer0 from the external network interface, but it would still have to work for the v-filers on that interface.

Not sure if these are possible, or an extensive list of the ways to achieve what I am attempting.  Also in re-reading this SSH isn't the only attach vector, http and any other management interface would have to be denied from the external interfaces as well.  Any advice or thoughts would be much appreciated.

thanks

c