Security Basics mailing list archives
Re: VMware ESX
From: "Robert Taylor" <rgt () wi mit edu>
Date: Mon, 21 Apr 2008 17:45:06 -0400
While it sounds like a compelling thing to do sometimes, I personally think it's a bad idea. You need to ask youself why are the machines in the DMZ in the first place. I'm assuming, 1. To help keep them from being compromised. 2. To limit access if they get compromised. If hackers can compromise and then somehow break out of the virtual machine, they may be able to then connect to an internal network, or compromise some of the other VM's on the ESX box. Also, they recommend installing vmware-tools on VM's in esx, which uses some side-channel communication between the VM and esx server. Find a way to compromise that, and you could possibly control the esx server itself. Esx isn't bulletproof. It's really a stripped down and highly tweaked linux, but it has security flaws as well. You need to keep it patched along with the OS's that run on it. If there is a bug in the NIC drivers on esx, that has potential to compromise the whole machine. If you are using a san backend, if the esx box is compromised, hackers may have access to san resources as well. If you are intent on using ESX, I would setup a entirely separate environment for dmz servers. I just think there are too many places where things can go bad. rgt ----- Original Message ----- From: "Paul Heywood" <Paul.Heywood () unitypartnership com> Date: Monday, April 21, 2008 8:23 am Subject: VMware ESX
Hi forum, we've got a VMware ESX group of servers running on the inside of our network. Our server team want to extend this to include some DMZ servers. How vulnerable would this leave the internal network ? Am I correct in thinking that if the VMware cluster was hacked, this would give them access to the internal network
**********************************************************************
The information in this e-mail is confidential and may be legally privileged.It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you have received it in error, please notify us immediately by replying to this e-mail and then delete it from your system. This note confirms that this email message has been swept for the presence of computer viruses, however we advise that in keeping with good IT practice the recipient should ensure that the e-mail together with any attachments are virus free by running a virus scan themselves. We cannot accept any responsibility for any damage or loss caused by software viruses. The Unity Partnership Ltd, registered in England at West Hall, Parvis Road, West Byfleet, Surrey UK KT14 6EZ. Registered No : 5916336. VAT No : 903761336.
**********************************************************************
Current thread:
- VMware ESX Paul Heywood (Apr 21)
- Re: VMware ESX Predrag (Apr 21)
- Re: VMware ESX Captain Quirk (Apr 21)
- RE: VMware ESX TVB NOC (Apr 21)
- Message not available
- Re: VMware ESX Tyler Reguly (Apr 22)
- RE: VMware ESX TVB NOC (Apr 22)
- RE: VMware ESX TVB NOC (Apr 21)
- <Possible follow-ups>
- Re: VMware ESX Robert Taylor (Apr 21)
- RE: VMware ESX Yahsodhan Deshpande (Apr 21)
- Re: VMware ESX Eric Kollmann (Apr 22)