[c-nsp] Current SP Cloud Security models

[Nick Hilliard]

On 13/03/2012 12:59, Joe Freeman wrote:
> I'm working on a design for a public cloud offering and the security guys
> are screaming that I need to implement network access control (from what
> they describe, it's 802.1x) in the underlying network as they claim the
> VRF/MPLS/VPLS/vlan model doesn't scale well in a cloud.

There are many scaling issues associated with virtualised environments,
that's for sure.

> That all news to me. I've been doing SP networks for a long time, but have
> never heard of a requirement for the SP to maintain 802.1x across the
> network, with a master AD/Radius instance controlling access to the network
> by customers and hosted servers.

Tell your security people that as soon as there are cloud systems which
provide L2 environments which support .1x to the client, that you'll
certainly look at them.  But that in the interim, you have a business to run.

As an almost unrelated aside (as this argument seems to be completely
political rather than technical in nature), I'm completely failing to
understand how .1x is relevant to your virtual network security.  Most
environments these days support at least some level of mac address spoofing
control, which is all you really need.  .1x is useful for large campuses
and enterprise environments, but it really isn't relevant at all to virtual
hosting so far as I can see.

Nick