Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ESX Vmware Physically connected to different segments

From: Enno Rey <erey () ernw de>
Date: Fri, 25 Jan 2008 21:31:22 +0100
Hi,


back that up or in your experience have you been able to exploit this
type of configuration?


As long as it is set up correctly I think this would be fine.

However, part of "correctly", AFAIAC, is that both subnets are in the
same security domain - that is, if one is trusted, the other must be
as well.


but then... why should you segment at all... if the "security level" of the instances is the same?
the basis for segmentation (if not required per se per architecture guidance) usually is either different protection 
needs, different threat exposure or both.
if none of those applies no need to segment.
if one of those applies putting a trust boundary on a system like ESX which has so many flaws and weaknesses as for 
memory isolation/protection and stuff might be a bad idea...

my 0.02

thanks,

Enno



-- 
Enno Rey

Check out www.troopers08.org!


ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: