On 7/21/05, Richard St John <Richard.StJohn@gbe.com> wrote:
Hello List,
This is not necessarily a firewall question, but would like opinions.
One of our managers would like to take a server running VMWARE and
connect it to our DMZ and assigning specific OSs to the DMZ NIC. Not bad
so far, 8 or 9 servers running through one NIC on our DMZ.
The hmmmm part of the problem is the servers he wants to use already
have another NIC on our internal server network and is running 2 or 3
servers.
So essentially he is asking to put the same server on our internal
network and our DMZ, using VMWARE which he assures me cannot be
compromised in such a way that the compromised OS can see the NIC card
it is not assigned to see. The installed OS for each VMWARE section can
only see what it is assigned to see and cannot see the rest of the
machine(s) and hardware.
I can't remember any VMware issues in the recent past that involved a
guest breaking out in any fashion, but you can browse through the
bugtraq archives here.
http://groups-beta.google.com/groups?q=group:*bugtraq*+vmware&start=0&scoring=d&;
Having not worked with VMWARE as much as I would like to, can someone
see any issues with this, confirm it works securely, or confirms it
fails miserably.
I am leery about it because I have one machine on two networks that
essentially traverse the firewall. Is VMWARE secure enough to do this?
I would be less concerned about guests breaking out than I would a
guest being compromised, then compromising the host machine, thereby
owning your whole network. Whether the host OS is Windows or Linux,
you would definitely want to have the DMZ machines use a NIC that
isn't being used by the host OS for any purpose. This doesn't
guarantee it's secure from the guest machines, but it helps. I'd also
firewall it off from the guests. Better yet, don't give it an IP at
all, if that's possible (it isn't with Windows, AFAIK, is possible
with BSD so I'd assume it is with Linux as well). With Windows it can
be difficult to close off all services on an adapter, and with Windows
or Linux, even if you do have them locked down it's not too difficult
to accidentally get things turned back on.
Also last I checked (on Workstation though) all interfaces bridged to
a physical interface acted as a hub, i.e. if you can sniff on any
guest and pick up all the host's and other guests' network traffic.
Not a direct way to compromise anything, but definitely a step in the
right direction to compromising other machines (not that switches are
invulnerable to this either though, it's just a bit more
difficult...).
In short, no way would I do it. Too many possibilities for breaking
through into the LAN by compromising the host OS from a compromised
guest. You should never dual home anything like that (in an ideal
world).
This may all be moot if you're running ESX, but you didn't mention the
version and most server deployments use GSX. I've never used ESX, so
I'm not sure with it. I do use Workstation and GSX.
-Chris
