From: Kurt Buff (kurt.buff@gmail.com)
Date: Fri Jan 25 2008 - 14:41:08 EST
On Jan 24, 2008 1:41 PM, Albert R. Campa <abcampa@gmail.com> wrote:
> We have some admins setting up some VMs on an ESX server and they have
> the idea of setting up 1host server with multiple VMs and on some of
> these VMs they want physical NICs connected to our main LAN and other
> VMs they want physical wires connected to a DMZ lan.
>
> Normally this would be almost bridging the two networks and bad
> practice overall. An explanation from an SA is that virtual switches
> are used on the ESX host and this seperates the physical connection to
> our main LAN and this DMZ lan.
>
> This does not sound like good practice but is there documentation to
> back that up or in your experience have you been able to exploit this
> type of configuration?
As long as it is set up correctly I think this would be fine.
However, part of "correctly", AFAIAC, is that both subnets are in the
same security domain - that is, if one is trusted, the other must be
as well. I would *never* put, for instance, a guest OS in a DMZ subnet
if the other guests are in a trusted subnet.
Kurt
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT