Topic
  • 2 replies
  • Latest Post - ‏2014-09-11T11:51:32Z by Wouter Liefting
parsona
parsona
1 Post

Pinned topic Logical Partition in a DMZ or public network

‏2014-08-29T18:33:28Z |

Hello

I have a request to move a logical partition to a DMZ or public network (IBM HTTP server on AIX). While I know this is possible, the client has concerns about about security. Can anyone give me advice on the implications of this or should I just suggest that they buy another server for this purpose.

Thanx for your support

  • VusaMoyo
    VusaMoyo
    2 Posts

    Re: Logical Partition in a DMZ or public network

    ‏2014-09-02T10:40:02Z  

    I'm assuming the move is to protect sensitive data on the LPAR using its new IP via a firewall. 

    If thats the case, the most important thing is to protect the means of getting to the LPAR from the backend, namely the VIOS and HMC.(Change passwords - SSH only and HTTPS)

    Also consider adding a new DMZ VIOS and moving the VIOC to it if the hardware allows and enable a firewall rule to allow the HMC to do RMC activities to the VIOC.

    Vusa

  • Wouter Liefting
    Wouter Liefting
    36 Posts

    Re: Logical Partition in a DMZ or public network

    ‏2014-09-11T11:51:32Z  

    Read up on VLANs. Make sure it's only the LPAR which is on the DMZ or public VLAN, not the VIO server. The VIO server is perfectly capable of forwarding VLAN traffic while not having an IP address on that VLAN. Alternatively, give the LPAR its own Ethernet adapter.

    As far as the RMC connection between the HMC and LPAR is concerned, it helps if you can get this established over the firewall. The RMC connection is a requirement for DLPAR, LPAR Mobility and quite a few other things. But if you can't get the RMC connection to work across the firewall, the partition will still run. You just miss out on a bunch of neat PowerVM features.

    Remember that the RMC connection is initiated from the LPAR to the HMC, so you need to allow this *inbound* connection on the firewall.