RE: VM Host with guests on the Internal and DMZ networks

["Rob McShinsky" <Rob () McShinsky com>]

Not sure about VMWare, but in Microsoft Virtual Server 2005 we do this on a
few of our Virtual Hosts.

All you really need is a dedicated NIC on the Host system that is connected
to the DMZ (VLAN).  Make sure that TCP/IP, File and Print Sharing and Client
for Microsoft Networks are unchecked.  The only thing that should be left
check for this adapter should be Virtual Machine Network Services or
whatever VMWare calls there network service. This will ensure that the NIC
is isolated only to the VM layer and not to the Host OS. This holds true for
other NICs too that may be connected to other subnets. Our rule is, anything
used for guest traffic should only have the Virtual Machine Network Services
selected.  Baring any discovered vulnerability in the VM Network Service,
this should segregate your guest traffic from direct access to the Host OS.
Then on another NIC do the opposite. Uncheck the Virtual Machine Network
Services.  This NIC will be used to connect to your Host for management and
host operation. 

That's how we do it and I believe this follows the Microsoft recommended
procedure.

Rob McShinsky
http://VirtuallyAware.spaces.live.com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Megan Kielman
Sent: Monday, June 11, 2007 12:42 PM
To: security-basics () securityfocus com
Subject: VM Host with guests on the Internal and DMZ networks

Security Folks,

We want to have a VMWare
host (VMWare Server) that has guest systems on the DMZ and Internal
LAN. To accomplish
this the host would have two interfaces, one on each network. Is this
a really bad idea from a security perspective? What are some ways to
mitigate the risks?

Thanks!
Megan