After reading this article, I had a few dissenting thoughts, maybe someone will provide their perspective?

The article suggests not running critical workloads virtually based on a failure scenario of the hosting environment (such as ransomware on hypervisor).

That does allow using the ‘all your eggs in one basket’ phrase, so I agree that running at least one instance of a service physically could be justified, but threat actors will be trying to time execution of attacks against both if possible. Adding complexity works both ways here.

I don’t really agree with the comments about not patching however. The premise that the physical workload or instance would be patched or updated more than the virtual one seems unrelated. A hesitance to patch systems is more about up time vs downtime vs breaking vs risk in my opinion.

Is your organization running critical workloads virtual like anything else, combination physical and virtual, or combination of all previous plus cloud solutions (off prem)?

  • @[email protected]
    link
    fedilink
    English
    19
    edit-2
    2 months ago

    If the hypervisor or any of its components are exposed to the Internet

    Lemme stop you right there, wtf are you doing exposing that to the internet…

    (This is directed at the article writer, not OP)

    • RedFoxOP
      link
      fedilink
      English
      32 months ago

      Lol, even in 2024 with free VPN/overlay solutions…they just won’t stop public Internet exposure of control plane things…

      • @[email protected]
        link
        fedilink
        English
        22 months ago

        Sure, but the author makes it sounds like thats its their standard way of doing things, which is insane.

        And if you do have a misconfiguration, the rational thing is to fix that, not dump the entire platform.

    • @terminhell
      link
      English
      22 months ago

      True horrors

      Like, that’s what vpns and jump boxes are for at the very least.

      • @[email protected]
        link
        fedilink
        English
        22 months ago

        Wanna bet they expose SSH on port 22 to the internet on their “critical” servers? 🤣

        • @terminhell
          link
          English
          22 months ago

          Ive been tempted to setup a Honeypot like this lol

          • @[email protected]
            link
            fedilink
            English
            12 months ago

            You’ll definitely get lots of login attempts. I used to have a port 22 ssh, hundreds of attempts per day.

            Would be interesting to see what post login behavior was.