Re: Virtualization - Mixing DMZ and internal guests on one host: would you?

[<wtskinner () roadrunner com>]

What type of business or environment are you supporting? Is this an international environment where there could be 
major export issue violations if there are leaks or is your concern for separation strictly a security concern? 
Depending on the consequences of data making it from one environment or another, I'd prefer to see separate clusters. 


-Ted Skinner 


---- Dan Lynch <DLynch () placer ca gov> wrote: 
> Greetings list,
>
> I'm providing security input for a proposed redesign and upgrade of our existing VMWare implementation. We have 80 
> some odd internal-use-only production servers like Windows AD domain controllers, file servers, and MS Exchange 
> servers on one existing ESX 3.x cluster. A separate ESX 3.x cluster hosts exclusively DMZ-based public web servers. A 
> single virtual center server manages both clusters.
>
> As existing hardware leases expire, a new cluster is proposed to be built on new hardware that would merge all our 
> VMs on one vSphere cluster. Dedicated pSwitch and pNIC hardware, and separate vSwitch instances are proposed to 
> separate high risk from high value systems. This still leaves open the possibility of accidental (or intentional) 
> misconfigurations crossing security boundaries, and the lower risk of guest-to-host or guest-to-guest exploit. 
>
> Haletky warns against just this design in his "VMware vSphere and Virtual Infrastructure Security" book, but the cost 
> of an additional cluster may override. What is the community take on this? Would you do it? Do you do it? If so, what 
> controls have you put in place to help mitigate the risk?
>
> Thanks for any input.
>
>
>
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------