Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ESX Vmware Physically connected to different segments

From: Dave Howe <David.Howe () ansgroup co uk>
Date: Wed, 30 Jan 2008 08:29:14 +0000
David M. Zendzian wrote:

Just the fact that we mix customers in a virtual environment creates a
similar risk. We aren't able to offer a dedicated host for every
customer who wants a virtual environment, that would defeat the purpose
of virtualization.

Maybe I missed part of the earlier discussion, and I'm always ready to
look at other ways of approaching the problem. Other than dedicated
hosts for each customer, what would you suggest a basic design be to
provide what you are describing?


That's fine (well, its not fine, but its understandable; customers know
what they are buying, and it isn't a dedicated machine for themselves in
its own VLAN; if they want that, they can pay you more and GET that)

   As long as you assume that machines on the shared ESX server are no
more or less secure than accounts on the *same* server separated by use
of chroot, then you can give a customer (Or potential customer) a
realistic estimate of the security he is buying. He isn't getting the
same level of security he would get from a dedicated machine, but he
isn't PAYING for that, so he has to live with what the product he buys
provides. As long as everyone knows that up front, I don't see how they
have grounds for complaint.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: