I can tell you that te NSA has tested scenarios like this before. There was
no way of compromise unless ir was through the network. I would not connect
the console NIC (eth0) to your DMZ ever.
Do note that I am a VCP, and have deployed over 50 VMware ESX hosts in
multiple different environments. I am yet to see any security related
issues that were not cuased by a mis-configuration within the guest OS, and
that the attacks were only successfull through the network (none through the
software layer of ESX).
Chris
----- Original Message -----
From: "Richard St John" <Richard.StJohn@gbe.com>
To: <firewalls@securityfocus.com>
Sent: Thursday, July 21, 2005 1:38 PM
Subject: VMWARE/DMZ Question
Hello List,
This is not necessarily a firewall question, but would like opinions.
One of our managers would like to take a server running VMWARE and
connect it to our DMZ and assigning specific OSs to the DMZ NIC. Not bad
so far, 8 or 9 servers running through one NIC on our DMZ.
The hmmmm part of the problem is the servers he wants to use already
have another NIC on our internal server network and is running 2 or 3
servers.
So essentially he is asking to put the same server on our internal
network and our DMZ, using VMWARE which he assures me cannot be
compromised in such a way that the compromised OS can see the NIC card
it is not assigned to see. The installed OS for each VMWARE section can
only see what it is assigned to see and cannot see the rest of the
machine(s) and hardware.
Having not worked with VMWARE as much as I would like to, can someone
see any issues with this, confirm it works securely, or confirms it
fails miserably.
I am leery about it because I have one machine on two networks that
essentially traverse the firewall. Is VMWARE secure enough to do this?
Thought, comments, suggestions
Richard St. John
