[192832] in North American Network Operators' Group
Re: Accepting a Virtualized Functions (VNFs) into Corporate IT
daemon@ATHENA.MIT.EDU (Rich Kulawiec)
Mon Nov 28 13:49:52 2016
X-Original-To: nanog@nanog.org
Date: Mon, 28 Nov 2016 13:44:25 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: nanog@nanog.org
In-Reply-To: <CALb2afMbnhUY1C8=_ZtzB4dfF7VGz9Q=M9zWdJ+mu3RDWM1YkA@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On Mon, Nov 28, 2016 at 09:53:41AM -0800, Kasper Adel wrote:
> Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they
> refuse to give you root access, or any means necessary to do 'maintenance'
> kind of work, whether its applying security updates, or any other similar
> type of task that is needed for you to integrate the Linux VM into your IT
> eco-system.
Thus simultaneously (a) making vendor X a far more attractive target for
attacks and (b) ensuring that when -- not if, when -- vendor X has its
infrastructure compromised that the attackers will shortly thereafter
own part of your network, for a value of "your" equal to "all customers
of vendor X".
(By the way, this isn't really much of a leap on my part, since it's
already happened.)
---rsk
