There was a thread on this quite a few months back:
http://www.derkeiler.com/Mailing-Lists/securityfocus/security-basics/2007-06/msg00083.html
This was on VMWare Server vs ESX, 2 separate beasts, but may shed some
light on what others have said on this in the past.
A good writeup from VMware on ESX security is here:
http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf
So one argument is they compromise a host on the DMZ, next they have
to compromise vmtools, next the vmm, and then maybe get back into the
vmkernal. Ok, maybe possible, a lot of what ifs so far from what I've
seen, but maybe possible.
The idea that they can get back into the backend SAN, from the VM is
probably not going to happen. I guess it could if you have the VM
setup in such a way that it has access into the SAN to start with.
But by default, it is setup as a vmdk file on that SAN, all
interaction with that file is outside of the VM, the VM itself can't
see the SAN, it only sees its file. Basically the VM knows nothing of
the SAN, so not sure how one could access the SAN via the VM.
One misconception is that ESX is a stripped down Linux. ESX is its
own OS, it has a front end that interacts with ESX and that front end
is a stripped down Linux. I believe 50%+ of the patches for ESX are
actually patches to the Linux side of things. As mentioned by someone
else ESX 3i gets rid of the Linux side of things, so one less avenue
of attack there. But to attack the Service Console (the Linux side of
things), you'd have to have access to the network that the SC resides
on. Best practice would be to put the SC on a locked down network of
its own, not accessible from the rest of your network, but only select
machines. By doing this you'd mitigate most, if not all, SC
vulnerabilities.
Now what about vSwitches, VLAN tagging, etc. Supposedly the vSwitches
are completely isolated. So the DMZ vSwitch has no access to the
Private vSwitch or the other vSwitches. All traffic that is on the
DMZ vSwitch may be able to be seen by someone who compromises a
machine on your DMZ. By default Promiscuous mode for any nic is
turned off when you setup the VM, but they could do ARP Poisoning or
anything else that they could do on a physical server once they had
access, maybe try VLAN hopping. How much they could see of what is
flowing through the vSwitch with this attack I don't know.
Now back to VLAN tagging. Do you want to run your DMZ traffic along
with your other traffic. This goes back to how secure, or unsecure
anyone can prove the vSwitches are. If you are worried that someone
may be able to get from a vSwitch, through there, to the ESX host, to
actually see all the traffic on the physical NIC, then separate out
your DMZ traffic to a separate NIC at least.
More on vSwitches and ESX networking concepts:
http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf
Vmotion issue, again network security and your initial infrastructure
setup apply here:
http://blog.scottlowe.org/2008/03/05/vmotion-and-vlan-security/
Again, this goes back to initial setup and best practices, how were
they able to get to where they had access to the VMotion network in
the first place?
A writeup on many VMs out there with issues they found:
http://taviso.decsystem.org/virtsec.pdf
There are a lot of what ifs out there and it comes down to what is
"secure enough" for you. If you want it 100% secure, unplug it from
the network, otherwise someone will eventually, find a way into it.
I know some companies have gone down the road of setting up a set of
ESX hosts specifically for their DMZ, where others have theirs
intermixed. To date I've not seen anything that would allow someone
to compromise the VM and get to the Host or other isolated VMs from
there, but as noted by others, it is software, so there may be bugs in
it that have yet to be found that will eventually allow that. Again,
it comes down to what is "secure enough" for your environment.
Good luck.
