RE: VMWare deployment



I'm no VMWare security expert, but when our internal server support
group proposed this, I did a bit of research, and found very few people
(outside of VMWare, Inc.) who advocated mixing security zones on a
single virtual host server, and a good sized pile who recommend against
it.

http://srmsblog.burtongroup.com/2008/01/five-immutable.html
http://www.eweek.com/c/a/Security/VM-Security-Risks-Phantom-or-Menace/
http://spiresecurity.typepad.com/spire_security_viewpoint/2008/03/virtua
lization.html
http://securosis.com/2008/04/17/vmware-please-hire-the-hoff/
http://rationalsecurity.typepad.com/blog/2008/04/the-four-horsem.html>

My conclusion: "our existing practice is to segregate high risk networks
from high value ones with a real-life air gap. Switches that service DMZ
and internet networks, don't also trunk high value internal network
VLANS. There's no reason the same practice should not apply to our
virtual environment."

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of W W
Sent: Sunday, May 03, 2009 9:11 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: VMWare deployment

I have an organization who is deploying a VMware solution. They are
setting it up to host both DMZ servers and internal servers. They
are utilizing the virtual switch to isolate the traffic between the
two networks. All the VM instances however are running from a share
NAS solution. What security considerations should be looked at? Are
there any good documents out there discussing the use case?

--------------------------------------------------------------
----------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in
InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF)
exercises, Certified Ethical Hacker and Certified Penetration
Tester exams, taught by an expert with years of real pen
testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
----------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



Relevant Pages