Re: VM Host with guests on the Internal and DMZ networks
- From: "Jason Ross" <algorythm@xxxxxxxxx>
- Date: Tue, 12 Jun 2007 12:51:16 -0400
On 6/11/07, Megan Kielman <megan.kielman@xxxxxxxxx> wrote:
Security Folks,
We want to have a VMWare host (VMWare Server) that has guest systems
on the DMZ and Internal LAN. To accomplish this the host would have
two interfaces, one on each network. Is this a really bad idea from
a security perspective?
Probably, but it really depends on a lot of things, some of which
include:
* your policies regarding on hosts being dual homed to different
trust zones
* the VMWare host OS/device
Perhaps the best way to answer that question would be to leave VMWare
out of it and ask yourself whether you would allow any other host to
have an interface in the DMZ and internal LAN.
What are some ways to mitigate the risks?
It sounds like you're planning on installing VMWare on a host (as
opposed to a VMWare supplied device, etc.). If that's the case,
it would likely be a good idea to select an OS which offers robust and
flexible routing/firewall/logging configurations, so that you could properly
seperate traffic on the host OS.
Alternatively, it may make sense to simply put some form of a dedicated
firewall appliance in front of the VMWare host and connect to that ...
Either way, it would probably be wise to ensure logging on the host was
properly configured and reviewed, but these are things which should
be determined by your own company (or personal) policies.
My 2 bits =)
--
jason
- References:
- VM Host with guests on the Internal and DMZ networks
- From: Megan Kielman
- VM Host with guests on the Internal and DMZ networks
- Prev by Date: Re: Procedural Issues
- Next by Date: Citrix Traffic
- Previous by thread: MS Virtual Server- SW Development Scenario
- Next by thread: Re: VM Host with guests on the Internal and DMZ networks
- Index(es):
Relevant Pages
|
