tag:blogger.com,1999:blog-1987420974894463968.post3251458447838026631..comments2024-03-21T03:56:54.312-05:00Comments on Tom Alrich's Blog: What about Virtualization?Tom Alrichhttp://www.blogger.com/profile/11926296316487964077noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-1987420974894463968.post-49764998148529862982017-09-01T06:01:54.428-05:002017-09-01T06:01:54.428-05:00Thanks, Jason. This is a good discussion to have w...Thanks, Jason. This is a good discussion to have with the virtualization committee of the SDT, assuming they decide to develop a white paper or something like that. But it illustrates the fact that there will be huge debates if the SDT tries to actually make the required changes in CIP. My estimate of 10 years is probably too low....Tom Alrichhttps://www.blogger.com/profile/11926296316487964077noreply@blogger.comtag:blogger.com,1999:blog-1987420974894463968.post-34030566263671411622017-08-31T14:28:52.381-05:002017-08-31T14:28:52.381-05:00I think fundamentally this goes back to the issue ...I think fundamentally this goes back to the issue of devices being capable of having multiple designations or functions. Is an EAP also a BCA? Or, can a BCA be an EAP?<br /><br />Putting on my security hat, an EAP should never be a BCA and should solely be used for physically segmenting the ESP from other networks.<br /><br />Otherwise, if an EAP can be a BCA, why can't I have a VM environment that does everything and just be designated an EAP/BCA, with some EACM guests, BCA guests, intermediate system guests, etc?<br /><br />Again, putting on my security hat, the problem is that a compromise in the switching, hypervisor or storage layers can result in the entire VM infrastructure being vulnerable.<br /><br />Conversely, I'd put forward that a VM environment with a virtual guest that operates as a BCA should be designated a BCA as well and all components (blades, hypervisors, switching, storage, etc.) also be PCA and all guests be at minimum a PCA.<br /><br />A physical firewall should be required to isolate all components of the VM environment, including storage. If someone can take control of SAN storage (even from a totally different system), or cause a guest VM to act badly and compromise a hypervisor, it can adversely affect the entire VM environment.<br /><br />Just look at all the security patches' release notes available from the VM manufacturers. No matter how well patched, there will be new flaws.<br /><br />JasonRAnonymousnoreply@blogger.com