Re: ESX Vmware Physically connected to different segments

Albert R. Campa wrote:
We have some admins setting up some VMs on an ESX server and they
have the idea of setting up 1host server with multiple VMs and on
some of these VMs they want physical NICs connected to our main LAN
and other VMs they want physical wires connected to a DMZ lan.

Normally this would be almost bridging the two networks and bad practice overall. An explanation from an SA is that virtual switches are used on the ESX host and this seperates the physical connection
to our main LAN and this DMZ lan.

This does not sound like good practice but is there documentation to back that up or in your experience have you been able to exploit this
type of configuration?

I would consider this no better or worse than sharing a single
physical switch with vlans in different domains - if the core os could
be compromised, it would bridge across the security domains, but the
same would be true of a firewall device between the two (which is after
all convention) - apart from the fact that I doubt ESX is designed as a
security device.

I would be more concerned that the techniques for detecting that the
os is inside an emulated (VMWare) environment, and the extensions used
by the VMware tools, could be exploited to run code on the native cpu.
No direct reason to expect this is true, but similarly, no direct reason to believe it is impossible either.

David Howe
Senior SysCare Engineer

david.howe@xxxxxxxxxxxxxx
Office number: 0161 227 1010
Fax: 0161 227 1020

ANS group plc
Synergy House
Manchester Science Park
Manchester
M15 6SY
www.ansgroup.co.uk

The information contained in this communication from david.howe@xxxxxxxxxxxxxx is confidential and may be legally privileged. It is intended solely for use by pen-test@xxxxxxxxxxxxxxxxx and others authorised to receive it. If you are not pen-test@xxxxxxxxxxxxxxxxx you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.

ANS group plc 2007 - Privacy Policy - Registered Office is Synergy House, Manchester Science Park, Manchester, M15 6SY. Reg No. 3176761. (Registered in England & Wales)


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • RE: ESX Vmware Physically connected to different segments
    ... CONFIDENTIALITY NOTICE: This e-mail and any attached document ... We have some admins setting up some VMs on an ESX server and they have ... VMs they want physical wires connected to a DMZ lan. ... are used on the ESX host and this seperates the physical connection to ...
    (Pen-Test)
  • RE: ESX Vmware Physically connected to different segments
    ... We have some admins setting up some VMs on an ESX server and they have ... VMs they want physical wires connected to a DMZ lan. ... are used on the ESX host and this seperates the physical connection to ...
    (Pen-Test)
  • Re: Sequel to: Im giving up computers if this is the future.
    ... >> While customisable and not on every VMS box. ... There is ONLY one port open on the R910 -- port 23 outgoing. ... TELENT connection. ... privied account back to /NOREMOTE. ...
    (comp.os.vms)
  • Re: Need help with a PeeCee again.
    ... >>It can't infect your VMS or MAC boxes. ... a connection just to perform a well defined task ... http://www.ProvN.com for the *best* OpenVMS system security ...
    (comp.os.vms)
  • scripting a telnet session to VMS
    ... I am attempting to script a telnet session via vb.net to a VMS ... I am not having much luck with the telnet connection. ...
    (comp.os.vms)