Security Basics mailing list archives
RE: VM Host with guests on the Internal and DMZ networks
From: "Steven Jones" <Steven.Jones () vuw ac nz>
Date: Thu, 14 Jun 2007 08:37:41 +1200
We are doing just this and are Vlaning...to blades... In terms of hardware, we used to not allow machines to reside in both DMZ and internal thus crossing our internal firewall....but with vmware we do..... Our ESX hosts sit on a management LAN with no exposure to DMZ or production network....so in effect the attack would have to crack the management LAN, vmware host, set up a new network interface and setup a new or crack an existing server that sits on both.... If someone is that far inside our network already they don't need to do that... regards Steven Jones Senior Linux/Unix/San System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 Mobile: +64 27 563 6272 Steven Jones Senior Linux/Unix/San System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 Mobile: +64 27 563 6272 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of krymson () gmail com Sent: Thursday, 14 June 2007 7:12 a.m. To: security-basics () securityfocus com Subject: Re: VM Host with guests on the Internal and DMZ networks I think you have really two things to worry about: 1) Attacks against the host. If your host is attacked and taken over, all those guests could fall. Keep it hardened to your chosen vendor's specs!! 2) Attacks local to the guest allow the guest to attack the host. This should require the guest VM to already be rooted/owned enough to be popped. You can Google up things like, blue pill, hypervisor, rutkowska (researcher), and breaking out of virtual machines/guests. Honestly, while this can blossom into a very important issue, so far the attacks are pretty exotic and you're not likely to see them. We currently have about 60 virtual machines. Some VMs are on the DMZ and others are internal, often on the same host. Your security risk is not too much larger because those two classes of attacks listed above are still pretty exotic and not widespread. That may not prove to be secure as the years go by, but your risk right now should not be huge. Only you can answer that, though, as you know how sensitive or regulated your company's network needs to be. In anything but a shop with budget and the need to be very surely secure otherwise people may die, I think straddling a host over the DMZ/internal is a viable situation right now. Of course, tomorrow Joanna may release something that can worm its way through VMs into the hosts and we'd all be screwed... <- snip -> We want to have a VMWare host (VMWare Server) that has guest systems on the DMZ and Internal LAN. To accomplish this the host would have two interfaces, one on each network. Is this a really bad idea from a security perspective? What are some ways to mitigate the risks?
Current thread:
- VM Host with guests on the Internal and DMZ networks Megan Kielman (Jun 12)
- Re: VM Host with guests on the Internal and DMZ networks Mark Sutton (Jun 12)
- RE: VM Host with guests on the Internal and DMZ networks Petter Bruland (Jun 13)
- RE: VM Host with guests on the Internal and DMZ networks Rob McShinsky (Jun 12)
- MS Virtual Server- SW Development Scenario WALI (Jun 13)
- Re: VM Host with guests on the Internal and DMZ networks Jason Ross (Jun 12)
- <Possible follow-ups>
- Re: VM Host with guests on the Internal and DMZ networks krymson (Jun 13)
- RE: VM Host with guests on the Internal and DMZ networks Steven Jones (Jun 13)
- Re: VM Host with guests on the Internal and DMZ networks Mark Sutton (Jun 12)