Security Basics mailing list archives
Re: VM Host with guests on the Internal and DMZ networks
From: krymson () gmail com
Date: 13 Jun 2007 19:11:55 -0000
I think you have really two things to worry about: 1) Attacks against the host. If your host is attacked and taken over, all those guests could fall. Keep it hardened to your chosen vendor's specs!! 2) Attacks local to the guest allow the guest to attack the host. This should require the guest VM to already be rooted/owned enough to be popped. You can Google up things like, blue pill, hypervisor, rutkowska (researcher), and breaking out of virtual machines/guests. Honestly, while this can blossom into a very important issue, so far the attacks are pretty exotic and you're not likely to see them. We currently have about 60 virtual machines. Some VMs are on the DMZ and others are internal, often on the same host. Your security risk is not too much larger because those two classes of attacks listed above are still pretty exotic and not widespread. That may not prove to be secure as the years go by, but your risk right now should not be huge. Only you can answer that, though, as you know how sensitive or regulated your company's network needs to be. In anything but a shop with budget and the need to be very surely secure otherwise people may die, I think straddling a host over the DMZ/internal is a viable situation right now. Of course, tomorrow Joanna may release something that can worm its way through VMs into the hosts and we'd all be screwed... <- snip -> We want to have a VMWare host (VMWare Server) that has guest systems on the DMZ and Internal LAN. To accomplish this the host would have two interfaces, one on each network. Is this a really bad idea from a security perspective? What are some ways to mitigate the risks?
Current thread:
- VM Host with guests on the Internal and DMZ networks Megan Kielman (Jun 12)
- Re: VM Host with guests on the Internal and DMZ networks Mark Sutton (Jun 12)
- RE: VM Host with guests on the Internal and DMZ networks Petter Bruland (Jun 13)
- RE: VM Host with guests on the Internal and DMZ networks Rob McShinsky (Jun 12)
- MS Virtual Server- SW Development Scenario WALI (Jun 13)
- Re: VM Host with guests on the Internal and DMZ networks Jason Ross (Jun 12)
- <Possible follow-ups>
- Re: VM Host with guests on the Internal and DMZ networks krymson (Jun 13)
- RE: VM Host with guests on the Internal and DMZ networks Steven Jones (Jun 13)
- Re: VM Host with guests on the Internal and DMZ networks Mark Sutton (Jun 12)