Re: ESX Vmware Physically connected to different segments

[Dave Howe <David.Howe () ansgroup co uk>]

Albert R. Campa wrote:
> We have some admins setting up some VMs on an ESX server and they
> have the idea of setting up 1host server with multiple VMs and on
> some of these VMs they want physical NICs connected to our main LAN
> and other VMs they want physical wires connected to a DMZ lan.
>
> Normally this would be almost bridging the two networks and bad 
> practice overall. An explanation from an SA is that virtual switches 
> are used on the ESX host and this seperates the physical connection
> to our main LAN and this DMZ lan.
>
> This does not sound like good practice but is there documentation to 
> back that up or in your experience have you been able to exploit this
>  type of configuration?

  I would consider this no better or worse than sharing a single
physical switch with vlans in different domains - if the core os could
be compromised, it would bridge across the security domains, but the
same would be true of a firewall device between the two (which is after
all convention) - apart from the fact that I doubt ESX is designed as a
security device.

  I would be more concerned that the techniques for detecting that the
os is inside an emulated (VMWare) environment, and the extensions used
by the VMware tools, could be exploited to run code on the native cpu.
No direct reason to expect this is true, but similarly, no direct reason 
to believe it is impossible either.

David Howe
Senior SysCare  Engineer

david.howe () ansgroup co uk
Office number: 0161 227 1010
Fax: 0161 227 1020

ANS group plc
Synergy House
Manchester Science Park
Manchester
M15 6SY
www.ansgroup.co.uk

The information contained in this communication from david.howe () ansgroup co uk is confidential and may be legally privileged. 
It is intended solely for use by pen-test () securityfocus com and others authorised to receive it. 
If you are not pen-test () securityfocus com you are hereby notified that any disclosure, copying, distribution or taking action 
in reliance of the contents of this information is strictly prohibited and may be unlawful.

ANS group plc 2007 - Privacy Policy - Registered Office is Synergy House, Manchester Science Park, Manchester, M15 6SY. Reg 
No. 3176761. (Registered in England & Wales)


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------