Security Basics mailing list archives
Virtualization - Mixing DMZ and internal guests on one host: would you?
From: Dan Lynch <DLynch () placer ca gov>
Date: Tue, 14 Sep 2010 15:02:55 -0700
Greetings list, I'm providing security input for a proposed redesign and upgrade of our existing VMWare implementation. We have 80 some odd internal-use-only production servers like Windows AD domain controllers, file servers, and MS Exchange servers on one existing ESX 3.x cluster. A separate ESX 3.x cluster hosts exclusively DMZ-based public web servers. A single virtual center server manages both clusters. As existing hardware leases expire, a new cluster is proposed to be built on new hardware that would merge all our VMs on one vSphere cluster. Dedicated pSwitch and pNIC hardware, and separate vSwitch instances are proposed to separate high risk from high value systems. This still leaves open the possibility of accidental (or intentional) misconfigurations crossing security boundaries, and the lower risk of guest-to-host or guest-to-guest exploit. Haletky warns against just this design in his "VMware vSphere and Virtual Infrastructure Security" book, but the cost of an additional cluster may override. What is the community take on this? Would you do it? Do you do it? If so, what controls have you put in place to help mitigate the risk? Thanks for any input. Dan Lynch, CISSP Information Technology Analyst County of Placer ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Solution for Travelling with PC encrypted PC to restricted countries imran . khan (Sep 14)
- RE: Solution for Travelling with PC encrypted PC to restricted countries Eric Krumm (Sep 15)
- Virtualization - Mixing DMZ and internal guests on one host: would you? Dan Lynch (Sep 15)
- Re: Virtualization - Mixing DMZ and internal guests on one host: would you? wtskinner (Sep 16)