Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ESX Vmware Physically connected to different segments

from [Shenk, Jerry A] Network Security [Permanent Link]
Subject: RE: ESX Vmware Physically connected to different segments
Date: Mon, 28 Jan 2008 12:17:51 -0500 
You're absolutely right ....it is thought to be secure today...just like
VLANs where before "vlan hopping" became an issue...and as they are now
that the vlan hopping has basically been solved.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Jeff Norem
Sent: Monday, January 28, 2008 10:09 AM
To: Albert R. Campa; Kurt Buff
Cc: pen-test@securityfocus.com
Subject: Re: ESX Vmware Physically connected to different segments

I have this exact same scenario going on currently.  My SE says that it
is a secure configuration.  I have read all the documents from VMWare
and I agree that if setup correctly, it is secure.  I am still
apprehensive around how an easy to make configuration mistake could open
up a whole between the DMZ and trusted network.  Or perhaps a bug in
VMWare.  Does anyone else have anything they can add to this question?



Jeff Norem, CISSP
Security Analyst/Engineer
HB Fuller Company

V-651-236-4112
C-612-203-0981
F-651-355-9220
CONFIDENTIALITY NOTICE:  This e-mail and any attached document(s) 
may contain confidential information which is legally protected.  
The information is intended only for the recipient(s) named.  
If you are not the intended recipient, you are hereby notified that 
any disclosure, copying, or distribution of this information except by

its direct delivery to the intended recipient is strictly prohibited. 

If you have received this transmission in error, 
please notify the sender immediately and delete this message.


"Kurt Buff" <kurt.buff@gmail.com> 1/25/2008 1:41 PM >>>

On Jan 24, 2008 1:41 PM, Albert R. Campa <abcampa@gmail.com> wrote:

We have some admins setting up some VMs on an ESX server and they

have

the idea of setting up 1host server with multiple VMs and on some of
these VMs they want physical NICs connected to our main LAN and

other

VMs they want physical wires connected to a DMZ lan.

Normally this would be almost bridging the two networks and bad
practice overall. An explanation from an SA is that virtual switches
are used on the ESX host and this seperates the physical connection

to

our main LAN and this DMZ lan.

This does not sound like good practice but is there documentation to
back that up or in your experience have you been able to exploit

this

type of configuration?


As long as it is set up correctly I think this would be fine.

However, part of "correctly", AFAIAC, is that both subnets are in the
same security domain - that is, if one is trusted, the other must be
as well. I would *never* put, for instance, a guest OS in a DMZ subnet
if the other guests are in a trusted subnet.

Kurt

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads 
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use 
of the individual or entity to which they are addressed and may contain 
information that is privileged, proprietary and confidential. If you are not 
the intended recipient, you may not use, copy or disclose to anyone the message 
or any information contained in the message. If you have received this 
communication in error, please notify the sender and delete this e-mail 
message. The contents do not represent the opinion of D&E except to the extent 
that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Faxing and PCI DSS compliance, Dennis Opacki
Next by Date:  RE: ESX Vmware Physically connected to different segments, Derek Chamorro
Previous by Thread:  Re: ESX Vmware Physically connected to different segments, Jeff Norem
Next by Thread:  RE: ESX Vmware Physically connected to different segments, Loupe, Jeffrey J
Indexes:  [Date] [Thread] [Top] [All Lists]