Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: VMWARE/DMZ Question

from [Goran Pizent] Network Security [Permanent Link]
Subject: RE: VMWARE/DMZ Question
Date: Fri, 22 Jul 2005 10:18:46 +0200 
Hello Richard,

If I understand well: you have DMZ VMWare images running on non-DMZ machine.

The problem is potential break in into the DMZ VMWare machine, and usage of
the currently unknown exploit on the VMWare process (from the OS within the
image) that could lead to the privilege escalation and potential break into
the internal network.

The attacker can find out is he/she on the virtual machine with almost one
CPU instruction (http://www.invisiblethings.org/papers/redpill.html). With
this knowledge and potential exploit of VMWare attacker could get into
internal network.

In this scenario the best thing for you to do is to put all VMWare images on
one physical machine that has access only to DMZ and run VMWare images on
that machine.

However, the best thing could be impossible for your organization, so all
you can do is to run VMWare under some extremely low privileged account that
have no access to the internal network and minimal rights on the physical
machine. And don't forget to closely monitor activities of that account on
the local machine and on the both networks.

I recommend you also to read the following document:
http://www.cs.nps.navy.mil/people/faculty/irvine/publications/2000/VMM-useni
x00-0611.pdf


My 2c

Goran

goran.pizent@ekobit.hr
Ekobit d.o.o (http://www.ekobit.hr)



-----Original Message-----
From: Richard St John [mailto:Richard.StJohn@gbe.com] 
Sent: Thursday, July 21, 2005 10:39 PM
To: firewalls@securityfocus.com
Subject: VMWARE/DMZ Question

Hello List,

This is not necessarily a firewall question, but would like opinions.

One of our managers would like to take a server running VMWARE and
connect it to our DMZ and assigning specific OSs to the DMZ NIC. Not bad
so far, 8 or 9 servers running through one NIC on our DMZ.

The hmmmm part of the problem is the servers he wants to use already
have another NIC on our internal server network and is running 2 or 3
servers.

So essentially he is asking to put the same server on our internal
network and our DMZ, using VMWARE which he assures me cannot be
compromised in such a way that the compromised OS can see the NIC card
it is not assigned to see. The installed OS for each VMWARE section can
only see what it is assigned to see and cannot see the rest of the
machine(s) and hardware.

Having not worked with VMWARE as much as I would like to, can someone
see any issues with this, confirm it works securely, or confirms it
fails miserably.

I am leery about it because I have one machine on two networks that
essentially traverse the firewall. Is VMWARE secure enough to do this?

Thought, comments, suggestions

Richard St. John
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RE: PIX encryption interface, joekim13
Next by Date:  Re: VMWARE/DMZ Question, Robert Hajime Lanning
Previous by Thread:  VMWARE/DMZ Question, Richard St John
Next by Thread:  Re: VMWARE/DMZ Question, Robert Hajime Lanning
Indexes:  [Date] [Thread] [Top] [All Lists]