Security Basics mailing list archives
Re: VM Host with guests on the Internal and DMZ networks
From: "Jason Ross" <algorythm () gmail com>
Date: Tue, 12 Jun 2007 12:51:16 -0400
On 6/11/07, Megan Kielman <megan.kielman () gmail com> wrote:
Security Folks, We want to have a VMWare host (VMWare Server) that has guest systems on the DMZ and Internal LAN. To accomplish this the host would have two interfaces, one on each network. Is this a really bad idea from a security perspective?
Probably, but it really depends on a lot of things, some of which include: * your policies regarding on hosts being dual homed to different trust zones * the VMWare host OS/device Perhaps the best way to answer that question would be to leave VMWare out of it and ask yourself whether you would allow any other host to have an interface in the DMZ and internal LAN.
What are some ways to mitigate the risks?
It sounds like you're planning on installing VMWare on a host (as opposed to a VMWare supplied device, etc.). If that's the case, it would likely be a good idea to select an OS which offers robust and flexible routing/firewall/logging configurations, so that you could properly seperate traffic on the host OS. Alternatively, it may make sense to simply put some form of a dedicated firewall appliance in front of the VMWare host and connect to that ... Either way, it would probably be wise to ensure logging on the host was properly configured and reviewed, but these are things which should be determined by your own company (or personal) policies. My 2 bits =) -- jason
Current thread:
- VM Host with guests on the Internal and DMZ networks Megan Kielman (Jun 12)
- Re: VM Host with guests on the Internal and DMZ networks Mark Sutton (Jun 12)
- RE: VM Host with guests on the Internal and DMZ networks Petter Bruland (Jun 13)
- RE: VM Host with guests on the Internal and DMZ networks Rob McShinsky (Jun 12)
- MS Virtual Server- SW Development Scenario WALI (Jun 13)
- Re: VM Host with guests on the Internal and DMZ networks Jason Ross (Jun 12)
- <Possible follow-ups>
- Re: VM Host with guests on the Internal and DMZ networks krymson (Jun 13)
- RE: VM Host with guests on the Internal and DMZ networks Steven Jones (Jun 13)
- Re: VM Host with guests on the Internal and DMZ networks Mark Sutton (Jun 12)