vswitches: physical networks obsolete?

[phocean <0x90 () phocean net>]

Hi all,

I would like to get some feedback about the vswitches and how to deal
with physical network separation.
I have an idea about this but I would like to know the consensus of the
security community to feel more confortable with it.

There is a great article summing up the possible architectures:
http://bradhedlund.com/2010/02/10/vswitch-illusion-dmz-virtualization/

However, Brad carefully doesn't take position on whether physical
separation of the DMZ is still a necessity.
Somehow, as a Cisco employee, he may not be able to...

He just mentions how vswitches are equivalent to VLAN on a physical
switches and that the multiple vswitches on ESX are just an GUI illusion
of physical separation. It is exactly the same code running in memory
whether there is one or an infinite number of vswitches.

Within the comments, one guy says physical networks are obsolete, but
without stuff to support it.

Personally, I am still convinced it is necessary and want to keep it
like this :
Internet--|FW|--[ESX/Nexus for DMZ]---|FW|---[ESX/Nexus for Secured LAN]

I just can't trust the code and the idea of a single exploit
compromising a whole datacenter is just frightening.

I remember a black hat presentation that showed many ways to compromise
the host.
On the other hand, I couldn't find any good specifications or
architecture documents from the editors describing their software
design.
It would be great to know what protections are in place to make exploits
harder (memory management design, NX, randomization, MAC)...

In short, what is your stake on it? Is physical networking obsolete and
what can prove it is?

Regards,
- phocean


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/