Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: VMware ESX

from [Robert Taylor] Network Security [Permanent Link]
Subject: Re: VMware ESX
Date: Mon, 21 Apr 2008 17:45:06 -0400 
While it sounds like a compelling thing to do sometimes, I personally 
think it's a bad idea. You need to ask youself why are the machines in 
the DMZ in the first place. I'm assuming,

1. To help keep them from being compromised. 
2. To limit access if they get compromised.

If hackers can compromise and then somehow break out of the virtual 
machine, they may be able to then connect to an internal network, or 
compromise some of the other VM's on the ESX box. 

Also, they recommend installing vmware-tools on VM's in esx, which 
uses some side-channel communication between the VM and esx server. 
Find a way to compromise that, and you could possibly control the esx 
server itself. 

Esx isn't bulletproof. It's really a stripped down and highly tweaked 
linux, but it has security flaws as well. You need to keep it patched 
along with the OS's that run on it. If there is a bug in the NIC 
drivers on esx, that has potential to compromise the whole machine.

If you are using a san backend, if the esx box is compromised, hackers 
may have access to san resources as well. 

If you are intent on using ESX, I would setup a entirely separate 
environment for dmz servers. I just think there are too many places 
where things can go bad. 

rgt


----- Original Message -----
From: "Paul Heywood" <Paul.Heywood@unitypartnership.com>
Date: Monday, April 21, 2008 8:23 am
Subject: VMware ESX


Hi forum,

we've got a VMware ESX group of servers running on the inside of 
our network. Our server team want to extend this to include some 
DMZ servers. How vulnerable would this leave the internal network 
? Am I correct in thinking that if the VMware cluster was hacked, 
this would give them access to the internal network



**********************************************************************

The information in this e-mail is confidential and may be legally 
privileged.It is intended solely for the addressee. Access to this 
email by anyone else 
is unauthorised. If you have received it in error, please notify 
us immediately 
by replying to this e-mail and then delete it from your system.

This note confirms that this email message has been swept for the 
presence of
computer viruses, however we advise that in keeping with good IT 
practice the 
recipient should ensure that the e-mail together with any 
attachments are virus 
free by running a virus scan themselves.  We cannot accept any 
responsibility for
any damage or loss caused by software viruses. 

The Unity Partnership Ltd, registered in England at West Hall, 
Parvis Road, West Byfleet, Surrey UK KT14 6EZ. 
Registered No : 5916336.  VAT No : 903761336.


**********************************************************************
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: HTTP tunneling to bypass proxy filter, Brandon Louder
Next by Date:  Re: VMware ESX, Captain Quirk
Previous by Thread:  Re: VMware ESX, Kurt Buff
Next by Thread:  RE: VMware ESX, Yahsodhan Deshpande
Indexes:  [Date] [Thread] [Top] [All Lists]