Educause Security Discussion mailing list archives
Re: Securing VM servers
From: "HALL, NATHANIEL D." <halln () OTC EDU>
Date: Thu, 29 May 2008 09:31:55 -0500
We do not allow multi-homed systems except for firewalls. I have been luck enough to keep it that way. I understand the advantages of consolidating the number of systems, but I believe the disadvantages are more costly if something bad happens. I recommend doing multiple small clusters that are each on a single network. You might do a little searching for the research that Ed Skoudis and Tom Liston did on escaping virtual machines. Below is an article that summarizes some of it. http://blogs.computerworld.com/node/5936 -- Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA Network Security System Administrator OTC Computer Networking (417) 447-7535 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Jewett Sent: Thursday, May 29, 2008 9:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Securing VM servers Hi, We're having a debate right now over securing our VMware clusters. We currently have a couple of DMZs (Public/Private). The DMZ policies state no multi-homed servers for obvious reasons, so we are not allowing servers to be members of both. Now we are aggressively looking into VM clusters. 1) Part of me is saying one VM cluster per DMZ to have a good separation of our Public and Private servers. 2) And the part of me is saying one cluster with each host being multi-homed and using virtual switches in VMWare to sort out which guest is a member of which DMZ. This allows a bigger cluster for higher availability and we'd see greater savings. Using the theory that we need N+1 for availability, that would mean 1) would require a minimum of 2 servers per DMZ or 4 servers and 2) would require only 3 servers... If all things remain equal. I'm over simplifying the number of servers, but just giving it as an example. What are other people doing about this? One large Multi-homed cluster or multiple smaller single-homed cluster? How secure is virtual switching in VMware? Any thought or suggestions would be greatly appreciated. Thanks in advance! Michael -- Michael Jewett University of New Brunswick, Fredericton, NB mgj () unb ca (506) 447-3022 (506) 453-3590 (FAX) ITS@UNB - Services, Solutions, Strategies ITS is a scent-reduced workplace - www.unbf.ca/its/policies
Current thread:
- Securing VM servers Michael Jewett (May 29)
- <Possible follow-ups>
- Re: Securing VM servers HALL, NATHANIEL D. (May 29)
- Re: Securing VM servers Jenkins, Matthew (May 29)
- Re: Securing VM servers Jeff Wolfe (May 29)
- Re: Securing VM servers Mike Lococo (May 29)
- Re: Securing VM servers Paul Keser (May 29)
- Re: Securing VM servers Alex (May 29)
- Re: Securing VM servers John Ladwig (May 29)
- Re: Securing VM servers John Hoffoss (Jun 06)