RE: ESX Vmware Physically connected to different segments

["Loupe, Jeffrey J" <JLoupe () whitneybank com>]

I think you're missing my point on the comparison. You referenced an
exploit for Vmware workstation, but I don't think you can reasonably
argue that since vmware workstation was exploited, ESX will be exploited
in the same fashion, since they are two very different platforms. 

Look, we can go round and round on this, but it boils down to weather
this is secure or not. The fact is, if there is no way to exploit this
currently when properly configured, then it's secure. I mean, we could
argue that public key based encryption isn't secure because eventually
someone will find a way to easily factor large primes. That fact doesn't
mean that it's not being used, and the people using it feeling just fine
about its security right this moment.

-J





-----Original Message-----
From: Kurt Buff [mailto:kurt.buff () gmail com] 
Sent: Monday, January 28, 2008 3:46 PM
To: Loupe, Jeffrey J
Cc: Pen-Testing
Subject: Re: ESX Vmware Physically connected to different segments

Actually, yes I can compare them. They are both targets, and both will
be exploited at some point, probably sooner rather than later - I'd
guess before the end of the year, and if I were a betting man (I'm
not) I'd put money on it.

Shops that don't have the resources for a dedicated DMZ ESX host
should probably look into other technologies or approaches, such as
off-site hosting, instead. IMHO, of course.

And, shops that don't have the resources to have a dedicated DMZ ESX
host probably don't have the in-house talent to manage a ESX host
securely anyway, which further increases the risk.

Don't misconstrue my word, BTW - I *love* my ESX host. It's just that
misuse of any tool will hurt you in the long run.

Of course, I'd also love to hear firm recommendations from VMWare on
this matter as well

I invite any VMWare employees lurking on this list to publicly or
privately point me to papers recommending approaches on this subject,
either pro or contra, on this matter.

Kurt

On Jan 28, 2008 1:35 PM, Loupe, Jeffrey J <JLoupe () whitneybank com>
wrote:
> You really can't compare ESX with any of the workstation products, or
> vmware server, player, etc. Workstation was built with a certain level
> of interaction with the underlying OS assumed and desired, such as USB
> drive detection and the like. ESX was specifically designed to host
> virtual machines.
>
> Shops that don't have the resources for a dedicated DMZ ESX host can,
> with careful planning and administration, securely host virtual
machines
> on a DMZ and a trusted network. Shops that have the resources to have
a
> dedicated box should certainly consider that, since physically
separate
> is always more secure.
>
> -J
________________________________________________________________

Confidentiality Notice:

This E-Mail transmission (and/or the documents accompanying it)
may contain information belonging to the sender which is 
confidential, privileged and/or exempt from disclosure under 
applicable law.  The information is intended only for the use
of the individual(s) or entity named above.   If you are not
the intended recipient, you are hereby  notified that any
disclosure, copying, distribution or the taking of any action
in reliance on the contents of this information is strictly 
prohibited.  If you have received this E-Mail transmission 
in error, please immediately notify us by return E-Mail or 
telephone to arrange for return of its contents including any
documents.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------