Re: VMWare and Security

From: Rik Bobbaers (Rik.Bobbaers_at_cc.kuleuven.ac.be)
Date: 04/26/05

  • Next message: Kelly Martin: "SF new column announcement: Security for the Paranoid"
    To: security-basics@securityfocus.com
    Date: Tue, 26 Apr 2005 15:08:37 +0200
    
    

    On Monday 25 April 2005 12:12, P.B. Wagenaar wrote:
    > As far as I know, ESX uses it's own OS and does not run on top of Windows
    > i.e. (GSX is the version that runs on a host layer).
    >
    > So the ESX version uses its own virtualization layer. This could be
    > considerd to be an Operating System right? And there are no security issues
    > with this? What if someone starts writing an exploit for the ESX
    > virtualization layer? Like a malformed TCP packet? The virtual machine (ie.
    > Windows server 2003) might have no problems with the malformed packet, but
    > it passes through the virtualization layer first. I am not saying that
    > there is something wrong with this approach or that is less secure or
    > whatever. I am just asking if all operating systems have had security
    > related bugs, what are the chances the ESX has to go through this cycle
    > also? And how would a security issue in the virtualization layer affect the
    > virtual machines running on it?
    >
    > Once again, vmware is a great product in my eyes, and I can not see
    > anything that is wrong with it being not begin secure or something. But if
    > you can consider ESX to be an OS (like linux and windows), and most OS have
    > had security issues at one time or another, how should an organization
    > treat a new OS like ESX?

    let's put it different...

    ESX is a RedHat linux which is tuned by the vmware people...

    but what do the vmware people do to improve security on ESX?

    i think esx 2.5 sitll runs kernel 2.6.5 (iirc).

    i'd like to add another question... what's the advantage of ESX to GSX?
    (maintenance of a linux machine is peanuts, so that doesn't count ;))

    -- 
    harry
    aka Rik Bobbaers
    K.U.Leuven - LUDIT             -=- Tel: +32 485 52 71 50
    Rik.Bobbaers@cc.kuleuven.ac.be -=- http://harry.ulyssis.org
    ASCII stupid question, get a stupid ANSI!
    

  • Next message: Kelly Martin: "SF new column announcement: Security for the Paranoid"

    Relevant Pages