Accepting a Virtualized Functions (VNFs) into Corporate IT

Leo Bicknell bicknell at
Tue Nov 29 15:02:42 UTC 2016

In a message written on Mon, Nov 28, 2016 at 01:10:29PM -0500, Jared Mauch wrote:
> my experiences say that most people would accept this.  things like IT are a cost
> and any way to externalize that cost makes sense.  If you look at something like
> a SMB service, where you have mandatory NID or provider managed CPE/handoff,
> having a solution pre-built seems like a no-brainer.

Historically, I agree.

However I sense the winds are changing on this issue.  Various
auditors and certification schemes have changed over the past 2-3
years to be much more skeptical of these sorts of devices.  They
want to see "endpoint security" (AV and/or Fingerprinting) on all
devices.  To the extent these "appliance" VM's are standard OS's
(often CentOS) they are more insistant it should be possible.  Where
it is not possible, they want to see severe network quarantine, for
instance per host firewalls to lock down the devices.

I'm not sure why the OP was asking, but if they are developing a
new product of this type I might suggest they consider their response
to a customer who says they need endpoint security on it before
building it.

Leo Bicknell - bicknell at
PGP keys at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list