RE: VMware ESX

---

• From: "Yahsodhan Deshpande" <yahsodhan.deshpande@xxxxxxxxxxxxxxxxx>
• Date: Mon, 21 Apr 2008 15:40:19 -0700

---

I agree with Robert, while using virtualization, the best thing to do is
to not forget the basic security measures you took for the physical
world, once those are in place a further step needs to be taken to
protect the environment from the holes created due to virtualization.

The traditional DMZ is always protected by FW and there is no reason to
bring in those machines into the internal network. Although VLAN seems
to solve the problem logically, you never know how the virtual network
on the ESX server would behave.

That is the reason, that new companies are emerging with products to
protect the virtual network. There are already Virtual appliances that
provide the functionality of Firewall and IDS/IPS. Vmware is also going
to release a layer (API), to encourage development of such applications.


If you plan to mix the 2 environments, then better think of adding some
internal firewall/ips so that you get same level of protection/isolation
that your physical servers used to get.

On other front, I would like to know your setup; do you have such a
powerful ESX server, such that you are able to put all your internal
servers as well as the Servers in DMZ on the same ESX? Hope you have
gone over the exercise of capacity planning, maintenance windows etc.

Yashodhan



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Robert Taylor
Sent: Monday, April 21, 2008 2:45 PM
To: Paul Heywood
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: VMware ESX

While it sounds like a compelling thing to do sometimes, I personally
think it's a bad idea. You need to ask youself why are the machines in
the DMZ in the first place. I'm assuming,

1. To help keep them from being compromised.
2. To limit access if they get compromised.

If hackers can compromise and then somehow break out of the virtual
machine, they may be able to then connect to an internal network, or
compromise some of the other VM's on the ESX box.

Also, they recommend installing vmware-tools on VM's in esx, which
uses some side-channel communication between the VM and esx server.
Find a way to compromise that, and you could possibly control the esx
server itself.

Esx isn't bulletproof. It's really a stripped down and highly tweaked
linux, but it has security flaws as well. You need to keep it patched
along with the OS's that run on it. If there is a bug in the NIC
drivers on esx, that has potential to compromise the whole machine.

If you are using a san backend, if the esx box is compromised, hackers
may have access to san resources as well.

If you are intent on using ESX, I would setup a entirely separate
environment for dmz servers. I just think there are too many places
where things can go bad.

rgt


----- Original Message -----
From: "Paul Heywood" <Paul.Heywood@xxxxxxxxxxxxxxxxxxxx>
Date: Monday, April 21, 2008 8:23 am
Subject: VMware ESX

Hi forum,

we've got a VMware ESX group of servers running on the inside of
our network. Our server team want to extend this to include some
DMZ servers. How vulnerable would this leave the internal network
? Am I correct in thinking that if the VMware cluster was hacked,
this would give them access to the internal network

**********************************************************************

The information in this e-mail is confidential and may be legally
privileged.It is intended solely for the addressee. Access to this
email by anyone else
is unauthorised. If you have received it in error, please notify
us immediately
by replying to this e-mail and then delete it from your system.

This note confirms that this email message has been swept for the
presence of
computer viruses, however we advise that in keeping with good IT
practice the
recipient should ensure that the e-mail together with any
attachments are virus
free by running a virus scan themselves. We cannot accept any
responsibility for
any damage or loss caused by software viruses.

The Unity Partnership Ltd, registered in England at West Hall,
Parvis Road, West Byfleet, Surrey UK KT14 6EZ.
Registered No : 5916336. VAT No : 903761336.

**********************************************************************

---

• References:
  • Re: VMware ESX
    • From: Robert Taylor

• Prev by Date: Re: Tutorial on Wireless packet sniffing
• Next by Date: RE: Web filters - Effects on Productivity
• Previous by thread: Re: VMware ESX
• Next by thread: Re: VMware ESX
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: VMWare ESX and FBSD 7.2 AMD64 guest ... VMWare ESX and FBSD 7.2 AMD64 guest ... What version of ESX? ... that is largely due to disk I/O and virtualization of same. ... relevant) boundary of the underlying storage. ... (freebsd-questions) RE: ESX Vmware Physically connected to different segments ... ESX was specifically designed to host ... is always more secure. ... virtualization techniques that allow for greater use of the devices we ... This E-Mail transmission ... (Pen-Test) RE: VMware ESX ... single physical link with multiple servers even if it is dedicated to ... Subject: VMware ESX ... How vulnerable would this leave the internal network? ... (Security-Basics) Re: terminal server on VMware ... I have to disagree with most of the posts here, we are running ESX ... 16 of our 35 Citrix servers split up and running between 2 of our ESX ... addresses shortly by VMWare with the shared resources. ... (microsoft.public.windows.terminal_services) Re: VMware ESX ... If hackers can compromise and then somehow break out of the virtual ... compromise some of the other VM's on the ESX box. ... uses some side-channel communication between the VM and esx server. ... Subject: VMware ESX ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)