Re: Mixing Infrastructure and Research Systems in VMware ESX

[David Auclair <d.auclair () UTORONTO CA>]

There have been some vulnerabilities (which were *very* promptly patched by vmware):
http://www.securityvibes.com/cloudburst-a-weaponsied-attack-on-the-cloud-benchai7-news-3003225.html

Even though that specific vulnerability was patched, it's still likely that there may be other vulnerabilities lurking. 
 I'd recommend keeping critical infrastructure and research systems in separate pools.

The other issue (which you mentioned) is fair resource allocation.  You need to prevent users from DoSing your critical 
systems by means of resource exhaustion.

Regards,
David Auclair
Computer Security Administration
Computing and Networking Services
University of Toronto


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Carver
Sent: Thursday, July 09, 2009 9:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Mixing Infrastructure and Research Systems in VMware ESX

Hi Folks,

We have an established single-cluster VMware ESX environment which is home to numerous production infrastructure 
servers. We're looking at the possibility of virtualizing several faculty research systems on campus which we do not 
currently manage.

Does anybody have any experience in mixing both infrastructure and research systems in the same ESX cluster? I'm aware 
at a high level of our technical options (i.e., setting up separate resource pools and limiting user access), but I'm 
interested in knowing if there are any specific security concerns we should be aware of, what impact this has had on 
your overall VMware environment, and what kinds of general policies / guidelines / restrictions you've put in place.

Thanks,
Dave

--
David Carver
Systems Administrator
Franklin W. Olin College of Engineering