Re: ESX Vmware Physically connected to different segments

["Jeff Norem" <Jeff.Norem () hbfuller com>]

I have this exact same scenario going on currently.  My SE says that it
is a secure configuration.  I have read all the documents from VMWare
and I agree that if setup correctly, it is secure.  I am still
apprehensive around how an easy to make configuration mistake could open
up a whole between the DMZ and trusted network.  Or perhaps a bug in
VMWare.  Does anyone else have anything they can add to this question?



Jeff Norem, CISSP
Security Analyst/Engineer
HB Fuller Company

V-651-236-4112
C-612-203-0981
F-651-355-9220
CONFIDENTIALITY NOTICE:  This e-mail and any attached document(s) 
may contain confidential information which is legally protected.  
The information is intended only for the recipient(s) named.  
If you are not the intended recipient, you are hereby notified that 
any disclosure, copying, or distribution of this information except by

its direct delivery to the intended recipient is strictly prohibited. 

If you have received this transmission in error, 
please notify the sender immediately and delete this message.

> > > "Kurt Buff" <kurt.buff () gmail com> 1/25/2008 1:41 PM >>>
On Jan 24, 2008 1:41 PM, Albert R. Campa <abcampa () gmail com> wrote:
> We have some admins setting up some VMs on an ESX server and they
have
> the idea of setting up 1host server with multiple VMs and on some of
> these VMs they want physical NICs connected to our main LAN and
other
> VMs they want physical wires connected to a DMZ lan.
>
> Normally this would be almost bridging the two networks and bad
> practice overall. An explanation from an SA is that virtual switches
> are used on the ESX host and this seperates the physical connection
to
> our main LAN and this DMZ lan.
>
> This does not sound like good practice but is there documentation to
> back that up or in your experience have you been able to exploit
this
> type of configuration?

As long as it is set up correctly I think this would be fine.

However, part of "correctly", AFAIAC, is that both subnets are in the
same security domain - that is, if one is trusted, the other must be
as well. I would *never* put, for instance, a guest OS in a DMZ subnet
if the other guests are in a trusted subnet.

Kurt

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads 
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------