I agree… if no data on vFiler0, use e0M for management only and no other interfaces on vfiler0 (unless you need gigabit or higher for snapmirror or ndmp over the network from vfiler0), then keep separate ipspaces (separate routing tables is the end result) for the vfilers. Vfiler0 is locked into the default-ipspace. With separate ipspaces, each vfiler can look like a separate physical controller. The vfiler0 access is the only exception for access, but that is for management access. Vfiler0 does not have user access to data in vfilers, but of course there are security concerns of someone configuring things from vfiler0 which could cause havoc if attacked.
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Crawford, Mark (CBC)
Sent: Thursday, January 19, 2012 12:22 PM
To: 'Craig A. Falls'; toasters@teaparty.net
Subject: RE: v-filers and external network isolation
I would use ‘ipspace create’ to isolate the external-connected interface and use it within your vfiler. The ip address(es) used on that interface would then be the address(es) used to externally connect your vfiler.
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Craig A. Falls
Sent: Thursday, January 19, 2012 3:07 PM
To: toasters@teaparty.net
Subject: v-filers and external network isolation
Good People, I am a long time reader, novice poster, and I have a question for you.
I have a environment where I want to put a single physical filer across two distinct networks (one internal and once external). Using v-filers I want to provide services for both networks. Generally I would use two physical filers for this, so attacks on the physical filer in the external network would only compromise storage in the external network.
In using a single physical filer, and using v-filers, I am hoping to achieve the same results, the issue is however that I can still get to v-filer0, and thus the filer as a whole from the IP address on the interface that is hosting the v-filers provisioned to the external network. Thus providing an attack vector to something that before (with two physical filers) was completely inaccessible.
I see two possible solutions that I am not sure are implementable:
(1) Somehow creating the interface connected to the external network without an IP address, thus v-filers would have IP address on that interface, and be accessible, but the v-filer0 would not be accessible, as there is no IP to access it, or
(2) Somehow deny ssh to v-filer0 from the external network interface, but it would still have to work for the v-filers on that interface.
Not sure if these are possible, or an extensive list of the ways to achieve what I am attempting. Also in re-reading this SSH isn't the only attach vector, http and any other management interface would have to be denied from the external interfaces as well. Any advice or thoughts would be much appreciated.
thanks
c
Confidentiality Notice:
This e-mail is intended only for the personal and confidential use of the individual to whom it is addressed and may contain information that is privileged, confidential and protected by law. If you are not the intended recipient, you are hereby notified that any use or disclosure of this information is strictly prohibited. If you have received this message in error, please notify the sender immediately by reply e-mail and delete the original message. Your compliance is appreciated.