test

N1 Provisioning Server 3.1, Blades Edition, Installation Guide

Ethernet Security

Within the Ethernet portion of the switched fabric, logical server farms are implemented using port-based virtual local area networks (VLANs). From a security perspective, port-based addressing provides a superior implementation when compared to VLAN implementations that are defined by Media Access Control (MAC) or IP addresses. This enhanced security is due to devices being connected physically through the switch rather than through logical addresses. The implementation of a network virtualization layer eliminates the possibility of VLAN hopping or IP spoofing, or the possibility of controlling VLAN membership from outside the Control Center.

To prevent IP spoofing attempts, an incoming IP packet on a VLAN must have the same VLAN tag and MAC address as the logical interface on which it is arriving. The Control Center sets VLAN tags for the appropriate ports and networks.

To ensure that the Control Center is protected from unauthorized access from within the I-Fabric, the control plane server on which the Control Center software runs resides within its own dedicated port-based VLAN. This architecture physically eliminates the possibility of unauthorized access to the Control Center from within the I-Fabric. Logical server farm users cannot manipulate their own or any other logical server farm's VLAN configuration.

Server blades within an I-Fabric are dedicated to only one unique logical server farm at any time. While servers may be added or subtracted from a particular logical server farm over its life cycle, no single physical server blade will ever be used by more than one logical server farm simultaneously. Thus, servers are protected from intrusion by the VLAN and the Control Center security measures previously described.

Farms are implemented in an I-Fabric using VLANs, which are based on physical switch ports and configured through the Control Center. The switch configuration is protected by the VLAN, not an administrative password. VLAN configurations are password protected on the applicable switch.

Access to services on the Control Center from the farms is restricted by IP filtering. IP routing through a control plane server is not possible. Access to the Farm Manager and the Segment Manager from a farm is not possible.

Note –

Only the Control Center is authorized to make modifications to virtual wiring and virtual farm security perimeters.