RE: Re: Re: VM Host with guests on the Internal and DMZ networks

So are you saying that you should put your HOST in the DMZ. That would seem
more secure potentially but much less stable since DMZs usually have the
potential to be more open to outside risks. If you meant keep the Host NIC
on the inside and only DMZ VLAN port for all remaining NICs, this does not
stop your "untrustworthy" sysadmins from enabling guest traffic over that
Host NIC.

As far as trusting your sysadmin, yes, the potential for a sysadmin to
bridge networks, but they would have to shut the guest server down, add a
NIC and then add and IP Address that would work on the inside network while
forgetting to disconnect the DMZ NIC connection. If all that happened, then
I would question the sysadmins level of competency.

If done correctly, from a security perspective, the setup with segmented
NICs for DMZ and Internal networks on the same virtual host is secure. We
could go on quite a while detailing all the ways that a sysadmin or network
admin could compromise security of the network which is outside whether the
particular technology is secure. If not trusting a particular group to do
their jobs correctly is the concern, that is a management/hiring problem,
not a security problem.

Rob
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of ssk_outlaw@xxxxxxxxx
Sent: Thursday, July 19, 2007 10:55 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Re: VM Host with guests on the Internal and DMZ networks

on a different tangent, the biggest threat of such a setup is the threat
from inside. the sysadmins.

the sysadmins at the flick of a switch (setting) are able to turn up/down
ports on either networks, bridge the network segments thus bypassing
commonly established security practices.

do you trust your sysadmins that much ?

while this is typically not possile with a phsyical layer seperating them
where in typically a network/security team over sees the port allocation for
new servers.

it's best if all dmz servers are stacked on a seperate VM Host and all the
protected network servers are stacked on a different VM Host.

Hope this helps,

- S

Relevant Pages

  • Re: DMZ Arguments....
    ... A DMZ is used with a firewall, ... link to the rest of the network. ... A common approach for an attacker is to break into a host that's vulnerable ... the case of a web server, unauthenticated and untrusted users might be ...
    (Security-Basics)
  • Host placement and DMZ internal/external questions.
    ... I have a few questions I have about dmz internal and external networks ... internal network does that sit on your DMZ? ... modify firewall rules so that the host has the access they need to ...
    (Security-Basics)
  • Re: [fw-wiz] firewall-wizards Digest, Vol 20, Issue 13
    ... May I ask why you are going to the inside for the internet access for your dmz? ... access-list nonat permit tcp host 192.168.2.1 192.168.1.1 eq 3389 ... access-list dmz permit tcp host 192.168.2.1 192.168.1.1 eq 3389 ... many companies deny traffic out from the inside network ...
    (Firewall-Wizards)
  • Re: Host placement and DMZ internal/external questions.
    ... > internal network does that sit on your DMZ? ... 25/tcp requests outbound, ... > modify firewall rules so that the host has the access they need to ...
    (Security-Basics)
  • Re: 2 pc network - cant see host files from pc 2 on pc 1
    ... If the second card is lost on HOST PC then DSL Internet does not connect. ... Ditch the second network card in the one ...
    (microsoft.public.windowsxp.security_admin)