Re: VMware ESX

["Tyler Reguly" <ht () computerdefense org>]

Greetings,

My Advice could be to *NOT* do this...

This depends, somewhat, on the version of ESX you are running... ESXi
is 32MB and presents a much smaller attack surface that ESX. I would
never advise implementing ESX itself on both the internal network and
the DMZ, but I can't say for sure about implementing ESXi...

However keep this Microsoft Advisory in mind --
http://www.microsoft.com/technet/security/Bulletin/MS07-049.mspx

It is VirtualPC and VirtualServer but think about that.. Admin access
to any single guest, gives you access to all other guests and the
host... Who knows if that exists for VMWare and just hasn't been
stumbled across yet.

Tyler.



On Mon, Apr 21, 2008 at 6:54 PM, TVB NOC <tvbnoc () temeculavalleybank com> wrote:
> Actually,
>
> I used to work at a company that did it... Because the VMware instances
> are not aware of each other inside the host, its not a bad solution..
> However, if I were going to implement it, I would not do VLANs and
> Trunking (tagging) between the virtual switch and the physical switch. I
> would add an additional quad card or other physical network card and
> physically separate the VM host, plugging each isolated VMhost network
> connection them directly into the physical switch...
>
> Hope this helps... sorry for the grammatical errors too...
>
>
>
>
>
> On Mon, Apr 21, 2008 at 5:23 AM, Paul Heywood
> <Paul.Heywood () unitypartnership com> wrote:
> > Hi forum,
> >
> >  we've got a VMware ESX group of servers running on the inside of our
> network. Our server team want to extend this to include some DMZ
> servers. How vulnerable would this leave the internal network ? Am I
> correct in thinking that if the VMware cluster was hacked, this would
> give them access to the internal network
> >
> **********************************************************************
> >  The information in this e-mail is confidential and may be legally
> privileged.
> >  It is intended solely for the addressee. Access to this email by
> anyone else
> >  is unauthorised. If you have received it in error, please notify us
> immediately
> >  by replying to this e-mail and then delete it from your system.
> >
> >  This note confirms that this email message has been swept for the
> presence of
> >  computer viruses, however we advise that in keeping with good IT
> practice the
> >  recipient should ensure that the e-mail together with any attachments
> are virus
> >  free by running a virus scan themselves.  We cannot accept any
> responsibility for
> >  any damage or loss caused by software viruses.
> >
> >  The Unity Partnership Ltd, registered in England at West Hall, Parvis
> Road, West Byfleet, Surrey UK KT14 6EZ.
> >  Registered No : 5916336.  VAT No : 903761336.
> **********************************************************************
> >
>
>
>
> --
> "Dear God, save us from the people who believe in you." -- post-9/11
> graffiti