[fw-wiz] VMware (or else) in different areas/dmz

From: Siebenkaes Stefan (Stefan.Siebenkaes@itellium.com)
Date: 01/28/03

From: Siebenkaes Stefan <Stefan.Siebenkaes@itellium.com>
To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
Date: Tue Jan 28 10:29:03 2003

Hello *,

we run a complex environment with a couple of firewalls.
The question, that arose:

There's need to deliver cheap services in different DMZ, zones,
LAN, outside, inside, everywehre.
A solution for that is to buy a power machine, install VMware (ESX, GSX)
on it and run 20 or 30 virtual machines on that thing. Works great,
I have to admit.
But now, "they" begin to intermix the zones, the VMware-machine
is inside (LAN) and services 4 webservers in different zones, some
mail-gateways and so on. So physically the different zones are now
connected. Logically, they are separated, because there's no (known!?)

From the money and the features, this is a great thing.
From security aspects, my sweat runs cold and I hardly find
some sleep :-)

What about your opinions on that?
Does anybody run virtual machines in DIFFERENT zones?
Are there any known security issues (besides bad configuration) on
communication between virtual machines on VMWare or comparable


Stefan Siebenkaes
Systemingenieur Security
Architecture & Platforms