Security Basics mailing list archives
RE: VMware ESX
From: "TVB NOC" <tvbnoc () temeculavalleybank com>
Date: Tue, 22 Apr 2008 09:27:15 -0700
All in all it will depend on your security architecture. And the implementation strategy you go with... Like I said, you don't want to share the physical nics between environments that are both DMZ and Internal networks. This is why I stated you should not do vlans between the virtual switch and the physical switch. Instead have dedicated nics assigned to each server. In addition, the VM host using ESX as long as it is not configured to be routable will not know how to get between the various networks... Here is a blurb I found on a separate form... http://www.networksecurityarchive.org/html/Firewalls/2005-09/msg00096.ht ml Lastly, if you have read the above link, I don't agree with having a single physical link with multiple servers even if it is dedicated to DMZ only. I believe each server should have a dedicated NIC connecting to the DMZ switch. thanks... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tyler Reguly Sent: Monday, April 21, 2008 8:50 PM To: security-basics () securityfocus com Subject: Re: VMware ESX Greetings, My Advice could be to *NOT* do this... This depends, somewhat, on the version of ESX you are running... ESXi is 32MB and presents a much smaller attack surface that ESX. I would never advise implementing ESX itself on both the internal network and the DMZ, but I can't say for sure about implementing ESXi... However keep this Microsoft Advisory in mind -- http://www.microsoft.com/technet/security/Bulletin/MS07-049.mspx It is VirtualPC and VirtualServer but think about that.. Admin access to any single guest, gives you access to all other guests and the host... Who knows if that exists for VMWare and just hasn't been stumbled across yet. Tyler. On Mon, Apr 21, 2008 at 6:54 PM, TVB NOC <tvbnoc () temeculavalleybank com> wrote:
Actually, I used to work at a company that did it... Because the VMware
instances
are not aware of each other inside the host, its not a bad solution.. However, if I were going to implement it, I would not do VLANs and Trunking (tagging) between the virtual switch and the physical switch.
I
would add an additional quad card or other physical network card and physically separate the VM host, plugging each isolated VMhost network connection them directly into the physical switch... Hope this helps... sorry for the grammatical errors too... On Mon, Apr 21, 2008 at 5:23 AM, Paul Heywood <Paul.Heywood () unitypartnership com> wrote:Hi forum, we've got a VMware ESX group of servers running on the inside of
our
network. Our server team want to extend this to include some DMZ servers. How vulnerable would this leave the internal network ? Am I correct in thinking that if the VMware cluster was hacked, this would give them access to the internal network**********************************************************************The information in this e-mail is confidential and may be legallyprivileged.It is intended solely for the addressee. Access to this email byanyone elseis unauthorised. If you have received it in error, please notify usimmediatelyby replying to this e-mail and then delete it from your system. This note confirms that this email message has been swept for thepresence ofcomputer viruses, however we advise that in keeping with good ITpractice therecipient should ensure that the e-mail together with any
attachments
are virusfree by running a virus scan themselves. We cannot accept anyresponsibility forany damage or loss caused by software viruses. The Unity Partnership Ltd, registered in England at West Hall,
Parvis
Road, West Byfleet, Surrey UK KT14 6EZ.Registered No : 5916336. VAT No : 903761336.**********************************************************************-- "Dear God, save us from the people who believe in you." -- post-9/11 graffiti
Current thread:
- VMware ESX Paul Heywood (Apr 21)
- Re: VMware ESX Predrag (Apr 21)
- Re: VMware ESX Captain Quirk (Apr 21)
- RE: VMware ESX TVB NOC (Apr 21)
- Message not available
- Re: VMware ESX Tyler Reguly (Apr 22)
- RE: VMware ESX TVB NOC (Apr 22)
- RE: VMware ESX TVB NOC (Apr 21)
- <Possible follow-ups>
- Re: VMware ESX Robert Taylor (Apr 21)
- RE: VMware ESX Yahsodhan Deshpande (Apr 21)
- Re: VMware ESX Eric Kollmann (Apr 22)