Penetration Testing mailing list archives
RE: ESX Vmware Physically connected to different segments
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Fri, 25 Jan 2008 15:26:44 -0500
I believe a couple of the Intelliguardinas did a "demonstration" of this at SANS in Washington last July. I put "demonstration" in quotes 'cuz they didn't ACTUALLY give the full details of how it worked but it sure seemed like they hopped from one VM to the host. Now to put things in perspective a bit, it sounds like they were working on a large government research contract to determine the vulnerabilities and they were putting a LOT of time and effort into it. So, you may not have adversaries like Ed Skoudis, Tom Liston and their compatriots but, it seems like this is an issue where you have a valid reason to have some concern...but, it certainly isn't a common problem today...but, depending on the value of your data, throwing a separate server in there might be a better idea. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Albert R. Campa Sent: Thursday, January 24, 2008 4:41 PM To: pen-test () securityfocus com Subject: ESX Vmware Physically connected to different segments We have some admins setting up some VMs on an ESX server and they have the idea of setting up 1host server with multiple VMs and on some of these VMs they want physical NICs connected to our main LAN and other VMs they want physical wires connected to a DMZ lan. Normally this would be almost bridging the two networks and bad practice overall. An explanation from an SA is that virtual switches are used on the ESX host and this seperates the physical connection to our main LAN and this DMZ lan. This does not sound like good practice but is there documentation to back that up or in your experience have you been able to exploit this type of configuration? Saludos Albert ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: ESX Vmware Physically connected to different segments, (continued)
- Re: ESX Vmware Physically connected to different segments David M. Zendzian (Jan 29)
- Re: ESX Vmware Physically connected to different segments Dave Howe (Jan 30)
- Re: ESX Vmware Physically connected to different segments Kurt Buff (Jan 28)
- Re: ESX Vmware Physically connected to different segments David M. Zendzian (Jan 29)
- RE: ESX Vmware Physically connected to different segments Loupe, Jeffrey J (Jan 29)
- Re: ESX Vmware Physically connected to different segments Kurt Buff (Jan 29)
- RE: ESX Vmware Physically connected to different segments Loupe, Jeffrey J (Jan 29)
- Re: ESX Vmware Physically connected to different segments Enno Rey (Jan 29)
- RE: ESX Vmware Physically connected to different segments Jeff Norem (Jan 28)