Security Basics mailing list archives
RE: Re: Re: VM Host with guests on the Internal and DMZ networks
From: "Rob McShinsky" <Rob () McShinsky com>
Date: Fri, 20 Jul 2007 12:12:44 -0400
So are you saying that you should put your HOST in the DMZ. That would seem more secure potentially but much less stable since DMZs usually have the potential to be more open to outside risks. If you meant keep the Host NIC on the inside and only DMZ VLAN port for all remaining NICs, this does not stop your "untrustworthy" sysadmins from enabling guest traffic over that Host NIC. As far as trusting your sysadmin, yes, the potential for a sysadmin to bridge networks, but they would have to shut the guest server down, add a NIC and then add and IP Address that would work on the inside network while forgetting to disconnect the DMZ NIC connection. If all that happened, then I would question the sysadmins level of competency. If done correctly, from a security perspective, the setup with segmented NICs for DMZ and Internal networks on the same virtual host is secure. We could go on quite a while detailing all the ways that a sysadmin or network admin could compromise security of the network which is outside whether the particular technology is secure. If not trusting a particular group to do their jobs correctly is the concern, that is a management/hiring problem, not a security problem. Rob -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of ssk_outlaw () yahoo com Sent: Thursday, July 19, 2007 10:55 PM To: security-basics () securityfocus com Subject: Re: Re: Re: VM Host with guests on the Internal and DMZ networks on a different tangent, the biggest threat of such a setup is the threat from inside. the sysadmins. the sysadmins at the flick of a switch (setting) are able to turn up/down ports on either networks, bridge the network segments thus bypassing commonly established security practices. do you trust your sysadmins that much ? while this is typically not possile with a phsyical layer seperating them where in typically a network/security team over sees the port allocation for new servers. it's best if all dmz servers are stacked on a seperate VM Host and all the protected network servers are stacked on a different VM Host. Hope this helps, - S
Current thread:
- Re: Re: VM Host with guests on the Internal and DMZ networks securinet2004 (Jul 17)
- <Possible follow-ups>
- Re: Re: Re: VM Host with guests on the Internal and DMZ networks ssk_outlaw (Jul 20)
- RE: Re: Re: VM Host with guests on the Internal and DMZ networks Rob McShinsky (Jul 20)