Dear Andy, thank you very much for your quick answer.
I am pleased to read that we do not think completely contra here and also think similarly regarding security - albeit with a different result.
The more I think about it, the more aspects I think of why an (internal) firewall and a differentiation of the data laying would be sensible (even essential) and how this is about “internal or external firewall”. I’m just not sure if this is the right threat for it. I let it get to it and share my thought
To make it clear briefly: I use virtualization - for many reasons and also for the reasons you have set out. Only the VM hosts, the Raspberries (as well as other small devices) and the Mac clients are still “bare metal”.
Why I think the differentiation of data storage is important:
My VM Host provides various data carriers for the virtual disks. The essentials are always connected internally. System data and service data (such as emails) usually lie on SSDs. Through writing activities stressed areas (swap, log) i like to put on uncritical data carriers - either fast HDDs or older SSDs. I would also like to put file data larger size (very expensive with SSD and unnecessarily with online connections) on large HDDs instead of SSDS. Virtual disks for databases would also also be placed on particularly suitable data carriers (or storage systems). And now it was only scenarios that were not with backup sizes or the opportunity to do backups partially (on VM Host level)
All of this works wonderfully with proxmoxve. I understand the scenario in which certain drives cannot be found and can therefore not be beguned and the server cannot start - but wouldn’t that be solvable by a software query at the start (already system start or only start to work)?
But they mentioned the developer’s approach to the “target group”.
There will probably be the following basic scenarios:
-
“Bare Metal” - still used in small scenarios and also as part of “Colocation” or “Server Housing”. Therefore, this target group should still be important.
-
“Virtualization” - should cover the rest of the scenarios. Either hosted yourself (loical or in the data center) or directly at the cloud provider (I have little experience with the latter).
As far as I understand that, the target group of NS8 users or supervisors are the not necessarily profound knowledge of matter and (also) therefore things should be kept simple. Agreed.
But something that affects almost everyone that somehow has to do with databases (and what else does a server do?) Is compliance with legal basics, right? In the EU, this is specifically the GDPR (called GDPR in Germany). And now we look at the above -mentioned scenarios from the point of view of the GDPR:
- Access protection (device level): Either organized locally or you have to trust the cloud provider (there is a contract).
- Access protection (service level): Codes and passwords for the machines or services (containers) can be assigned locally and in the cloud.
- But what about the data carrier level? According to the GDPR, these should also be encrypted, not only the backups (and at best also scenarios of military violence).
A encryption “bare metal” has the problem that someone has to enter a password on the sheet at every start or restart (or insert a decryption stick or similar). Or you have connected a KVM hardware, then you can also remote.
In principle, encryption that the cloud provider provides is not (if you are honest). Here, too, you have “only” a contract, the rest is hope.
If you operate your own virtualization host (such as Proxmox VE) locally or in the data center, the data carrier level can be solved via LUKS encryption - i.e. directly on the host level. This has the advantage that no encryption does not have to be set up at the guest level and the computing resources for encryption and decryption do not have to be calculated separately for each guest or only the data carrier host is responsible. The decryption also only has to be opened when the VM host starts. The disadvantage is that the security (in the open state) now only has to be guaranteed by the VM host. However, this should be operated as possible anyway. A physical attacker on site (whom I cannot see directly) would be a problem, but carrying it away does not work (unless the attacker also carries the USV away).
Ok, until here we somehow correspond to the GDPR - provided that a user from the typical target group can implement this up to now. NS8 does not already provide its own mechanisms that could help the target group here. If NS8 were already conceptually available system data and service data on different data carriers (gladly in the same path), LUKS could be used here. Please do not save the keys for the backups in the system path!)
And what about structural or conceptual security? (also one aspect of the GDPR)
And here I come back to the question “internal or external firewall”.
The data connection for the (possibly) different nodes is made of NS (encrypted. Very exemplary!
But what about the data connection between NS8 and upstream firewall? This connection is either a physical (network cable) or a virtual.
The service dates running over it are usually (hopefully) encrypted, but what about the packet data itself? Basically, anyone who gains physically or virtually access to this connection can change the package data, i.e. (to) define where they are sent or where they come from (allegedly). And then there is no more important firewall. Upps …
Access to a network cable (locally or in the data center) is usually “only” a question of physical protection - or a question of what the provider contractually assures (and whether you trust this).
The same applies to access to a virtual connection between between server VM and firewall VM. If you only rent the required VMS with the cloud provider, you have to trust the provider that it effectively restricts access to the virtual connection. From experience with VM host systems, we know that “outbreaks” from VMS are not completely impossible and the more “strangers” are on one and the same hostin dance, the greater the risk.
The scenarios “bare metal” or “VM instance in the cloud” probably correspond to the typical target group. With the problems described (or risks). Only operators of their own VM hosts (locally or in the data center) can choose and secure their structures accordingly (at least it is your own responsibility). But that is probably not the target group of NS8.
If (as before) firewall and service were on the same device or within a VM, an attacker would have to attack the system bus or have already very deep access to the VM host to manipulate this connection. The typical NS7 or NS8 target group would protect this better - locally, in the data center and the cloud provider.
It is roughly clear to me what the idea behind the structural decision Firewall and Server (or orchestrator) may have been separated (and that it is hardly reversible).
However, it is not clear to me why the firewall is not intended as part of a container in NS8? Wouldn’t that have been an option? Maybe she will still be? (Openwrt runs as a container?)
So much for my 2222 cents
Greetings Yummiweb
PS.
Andy, if you know where I can ask specific questions about problems with NS8 without annoying, please let me know.