Re: Virtualization - Mixing DMZ and internal guests on one host: would you?



My view is like yours - to keep them separate. If the auditors are
happy with a single box and you can't secure funding for physical
separation then it seems churlish to insist on physical separation.

In networks I have designed I have always kept the DMZ physically
separate. There are firewalls available that can be used to separate
the inside, outside and DMZ within a virtual environment. You can't
always be sure that the DMZ and inside will never be accidentally (or
maliciously, or because it is too much hassle, or "it only temporary")
be routed straight to the inside and not forced out of the physical
servers to your firewall. I haven't used these firewalls as they are
still relatively new and I don't have confidence in them. My opinion
is the same for the VMWare security features (vShield Zones). To my
mind they have not been adequately proven in the field.

See
http://www.astaro.com/en-uk/blog/security-perspectives/astaro-offers-free-business-firewall
http://www.dailyhypervisor.com/2010/03/12/vshield-zones-some-serious-gotchas/



On 17 September 2010 14:52, <krymson@xxxxxxxxx> wrote:
You're wading into a discussion that is on-going, and almost a non-discussion. This is because few people understand the situation, and almost everything about virtual security and attacks are largely theoretical at this point.

If you have an auditor that approves your designs for whatever regulations or reasons, you'll want their opinion, first and foremost. Many auditors may be happy with virtual segmentation and/or physical segmentation with ACLs/firewalls/network design, and just ignore the possibility of popping a host through a guest for now.

Personally, we still prefer to keep separate hosts for DMZ systems. Is there a *really* good reason for it? Well, our auditors agree, it feels better "just in case" something comes up, and may help mitigate any issues...

Kinda like thinking years ago that one network is good, but we realize now that segmentation is really important. Same with having all your eggs in one server. Most circles strive for one-server-one-role.

The problem with virtualization is segmentation can be virtual as well...which means we need more whiskey.

In the end, the ball is still very much up in the air on what camp is correct...but I think everyone would agree that this complexity is becoming head-spinning. And that really only ultimately benefits attackers. (Or those who get job security out of it!)


<- snip ->
Greetings list,

I'm providing security input for a proposed redesign and upgrade of our existing VMWare implementation. We have 80 some odd internal-use-only production servers like Windows AD domain controllers, file servers, and MS Exchange servers on one existing ESX 3.x cluster. A separate ESX 3.x cluster hosts exclusively DMZ-based public web servers. A single virtual center server manages both clusters.

As existing hardware leases expire, a new cluster is proposed to be built on new hardware that would merge all our VMs on one vSphere cluster. Dedicated pSwitch and pNIC hardware, and separate vSwitch instances are proposed to separate high risk from high value systems. This still leaves open the possibility of accidental (or intentional) misconfigurations crossing security boundaries, and the lower risk of guest-to-host or guest-to-guest exploit.

Haletky warns against just this design in his "VMware vSphere and Virtual Infrastructure Security" book, but the cost of an additional cluster may override. What is the community take on this? Would you do it? Do you do it? If so, what controls have you put in place to help mitigate the risk?

Thanks for any input.

Dan Lynch, CISSP
Information Technology Analyst
County of Placer

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------