Educause Security Discussion mailing list archives
Re: Securing VM servers
From: John Hoffoss <John.Hoffoss () CSU MNSCU EDU>
Date: Fri, 6 Jun 2008 17:06:46 -0500
On Thu, May 29, 2008 at 11:00 AM, Jeff Wolfe <wolfe () EMS PSU EDU> wrote:Jenkins, Matthew wrote:Michael, we have two separate clusters here for a private DMZ (we don't have a true DMZ with real IPs, everything is natted here) and our 'production' servers (i.e. database servers, ad, internal applications, file servers, etc.). If a physical box interconnects two networks there is always a risk. Hence, if a vulnerability in VMWare were to allow someone to administratively add a second NIC to a VM host in a network that it should not have access to, the result could be that VM host becomes a launch pad for an attack into the other network. For that reason we decided to separate our clusters. They do not share network resources or SAN space. Perhaps we are over paranoid?
That's the general direction we're going. I have a hard time considering VMware [WS/GSX/ESX] as hardened and vetted given how new the space is. The same can be said for SANs, we think, though this is an area we have yet to really think on.
I would encourage anyone evaluating VMWare's security to discuss their needs and situation with their VMWare SE. The security implications of running a guest on the free VMWare server are considerably different than running a guest on ESX server. The "exploits" posted earlier in this thread are against VMWare Server, which is a completely different animal from ESX.
Of course you should, but when you ask "are you secure?" what assurance do you have that VMware (or any other vendor) is being honest and has actually thoroughly tested their systems? How deeply have they thought about the exposure points where an attacker could leverage access to a hypervisor? Rather than blindly trust the vendor's response, I'll separate my zones of trust. I think you'd be kidding yourself if you thought there was no code sharing between Workstation, GSX and ESX, as well. I realize they are different, but I don't think they're *that* different.
Maybe it makes sense to allow a multi-homed ESX cluster, or maybe it does not. In either case, nothing can substitute for a full risk analysis that includes experts from the vendor as well as your own staff.
Multi-homing ESX will present the same risks that multi-homing Windows Server, Solaris, or any other OS. You've bridged a gap that would otherwise be protected at multiple levels by varying technologies. You now have the potential for a single point of failure.
For what it's worth, in my environment, we feel that ESX is up to the task, but your risks/needs are probably different from ours.
The appropriateness of the decision to allow multi-homing will depend on what other factors are present and where they are placed: IDS/IPS, file integrity monitoring, SEM, rights management and distribution, et cetera. I don't think there is any question that you could do this securely, but the amount of time and work that will go into testing that security initially and the energy into ongoing monitoring is higher. Christopher Hoff has a number of great posts [ http://rationalsecurity.typepad.com/ ] on the topic of virutalization security and I would highly recommend adding his blog to your RSS readers. -jth John T. Hoffoss, CISSP, GCIH Information Security Specialist Minnesota State Colleges and Universities 30 7th Street East, Suite 350 St. Paul, MN 55101 Email: john.hoffoss () csu mnscu edu Office: 651.201.1453 Mobile: 612.867.1432
Current thread:
- Securing VM servers Michael Jewett (May 29)
- <Possible follow-ups>
- Re: Securing VM servers HALL, NATHANIEL D. (May 29)
- Re: Securing VM servers Jenkins, Matthew (May 29)
- Re: Securing VM servers Jeff Wolfe (May 29)
- Re: Securing VM servers Mike Lococo (May 29)
- Re: Securing VM servers Paul Keser (May 29)
- Re: Securing VM servers Alex (May 29)
- Re: Securing VM servers John Ladwig (May 29)
- Re: Securing VM servers John Hoffoss (Jun 06)