Educause Security Discussion mailing list archives

Re: Securing VM servers

From: "HALL, NATHANIEL D." <halln () OTC EDU>
Date: Thu, 29 May 2008 09:31:55 -0500

We do not allow multi-homed systems except for firewalls.  I have been
luck enough to keep it that way.  I understand the advantages of
consolidating the number of systems, but I believe the disadvantages are
more costly if something bad happens.  I recommend doing multiple small
clusters that are each on a single network.

You might do a little searching for the research that Ed Skoudis and Tom
Liston did on escaping virtual machines.  Below is an article that
summarizes some of it.

http://blogs.computerworld.com/node/5936

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking
(417) 447-7535

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Jewett
Sent: Thursday, May 29, 2008 9:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Securing VM servers

Hi,

We're having a debate right now over securing our VMware clusters.  We 
currently have a couple of DMZs (Public/Private).  The DMZ policies 
state no multi-homed servers for obvious reasons, so we are not allowing

servers to be members of both.  Now we are aggressively looking into VM 
clusters.

1) Part of me is saying one VM cluster per DMZ to have a good separation

of our Public and Private servers.

2) And the part of me is saying one cluster with each host being 
multi-homed and using virtual switches in VMWare to sort out which guest

is a member of which DMZ.  This allows a bigger cluster for higher 
availability and we'd see greater savings.

Using the theory that we need N+1 for availability, that would mean 1) 
would require a minimum of 2 servers per DMZ or 4 servers and 2) would 
require only 3 servers... If all things remain equal.

I'm over simplifying the number of servers, but just giving it as an 
example.

What are other people doing about this?  One large Multi-homed cluster 
or multiple smaller single-homed cluster?  How secure is virtual 
switching in VMware?

Any thought or suggestions would be greatly appreciated.

Thanks in advance!

Michael

-- 
    Michael Jewett
    University of New Brunswick, Fredericton, NB
    mgj () unb ca       (506) 447-3022       (506) 453-3590 (FAX)

    ITS@UNB - Services, Solutions, Strategies
    ITS is a scent-reduced workplace - www.unbf.ca/its/policies

Current thread:

Securing VM servers Michael Jewett (May 29)
- <Possible follow-ups>
- Re: Securing VM servers HALL, NATHANIEL D. (May 29)
- Re: Securing VM servers Jenkins, Matthew (May 29)
- Re: Securing VM servers Jeff Wolfe (May 29)
- Re: Securing VM servers Mike Lococo (May 29)
- Re: Securing VM servers Paul Keser (May 29)
- Re: Securing VM servers Alex (May 29)
- Re: Securing VM servers John Ladwig (May 29)
- Re: Securing VM servers John Hoffoss (Jun 06)