Re: Virtualization - Mixing DMZ and internal guests on one host: would you?

[krymson () gmail com]

You're wading into a discussion that is on-going, and almost a non-discussion. This is because few people understand 
the situation, and almost everything about virtual security and attacks are largely theoretical at this point.

If you have an auditor that approves your designs for whatever regulations or reasons, you'll want their opinion, first 
and foremost. Many auditors may be happy with virtual segmentation and/or physical segmentation with 
ACLs/firewalls/network design, and just ignore the possibility of popping a host through a guest for now.

Personally, we still prefer to keep separate hosts for DMZ systems. Is there a *really* good reason for it? Well, our 
auditors agree, it feels better "just in case" something comes up, and may help mitigate any issues...

Kinda like thinking years ago that one network is good, but we realize now that segmentation is really important. Same 
with having all your eggs in one server. Most circles strive for one-server-one-role.

The problem with virtualization is segmentation can be virtual as well...which means we need more whiskey.

In the end, the ball is still very much up in the air on what camp is correct...but I think everyone would agree that 
this complexity is becoming head-spinning. And that really only ultimately benefits attackers. (Or those who get job 
security out of it!)


<- snip ->
Greetings list,

I'm providing security input for a proposed redesign and upgrade of our existing VMWare implementation. We have 80 some 
odd internal-use-only production servers like Windows AD domain controllers, file servers, and MS Exchange servers on 
one existing ESX 3.x cluster. A separate ESX 3.x cluster hosts exclusively DMZ-based public web servers. A single 
virtual center server manages both clusters.

As existing hardware leases expire, a new cluster is proposed to be built on new hardware that would merge all our VMs 
on one vSphere cluster. Dedicated pSwitch and pNIC hardware, and separate vSwitch instances are proposed to separate 
high risk from high value systems. This still leaves open the possibility of accidental (or intentional) 
misconfigurations crossing security boundaries, and the lower risk of guest-to-host or guest-to-guest exploit.

Haletky warns against just this design in his "VMware vSphere and Virtual Infrastructure Security" book, but the cost 
of an additional cluster may override. What is the community take on this? Would you do it? Do you do it? If so, what 
controls have you put in place to help mitigate the risk?

Thanks for any input.

Dan Lynch, CISSP
Information Technology Analyst
County of Placer

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------