Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VM Host with guests on the Internal and DMZ networks

From: "Jason Ross" <algorythm () gmail com>
Date: Tue, 12 Jun 2007 12:51:16 -0400
On 6/11/07, Megan Kielman <megan.kielman () gmail com> wrote:

Security Folks,

We want to have a VMWare host (VMWare Server) that has guest systems
on the DMZ and Internal LAN. To accomplish this the host would have
two interfaces, one on each network. Is this a really bad idea from
a security perspective?


Probably, but it really depends on a lot of things, some of which
include:

  * your policies regarding on hosts being dual homed to different
    trust zones
  * the VMWare host OS/device

Perhaps the best way to answer that question would be to leave VMWare
out of it and ask yourself whether you would allow any other host to
have an interface in the DMZ and internal LAN.



What are some ways to mitigate the risks?


It sounds like you're planning on installing VMWare on a host (as
opposed to a VMWare supplied device, etc.). If that's the case,
it would likely be a good idea to select an OS which offers robust and
flexible routing/firewall/logging configurations, so that you could properly
seperate traffic on the host OS.

Alternatively, it may make sense to simply put some form of a dedicated
firewall appliance in front of the VMWare host and connect to that ...

Either way, it would probably be wise to ensure logging on the host was
properly configured and reviewed, but these are things which should
be determined by your own company (or personal) policies.

My 2 bits =)

--
jason
Previous By Date Next
Previous By Thread Next

Current thread: