Re: ESX Vmware Physically connected to different segments

From: Johnny Tsao (jtsao@calstate.edu)
Date: Fri Jan 25 2008 - 15:25:21 EST


I'm very interested in hearing some recommended and best practice
architecture regarding virtualized servers. As virtualization
network/server nodes becomes more popular it also introduce challenges for
our institution to revisit the security domains.

How are you guys separating the security domains? How are the security
domains access common backend, for ex: backup, data warehousing, etc.

TIA,

-JT

***********************************
Johnny Tsao, CCIE No. 8759, CISSP
Information Security Engineer
Technology Infrastructure Services
-Strategic Engineering & Architecture (SEA)
California State University
Tel: 562.346.2218 * Fax: 562.346.2223
Email: jtsao@calstate.edu
***********************************
E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and
any attachments are intended solely for the addressee(s) and may contain
confidential and/or legally privileged information. If you are not the
intended recipient of this message or if this message has been addressed
to you in error, please immediately alert the sender by reply e-mail and
then delete this message and any attachments. If you are not the
intended recipient, you are notified that any use, dissemination,
distribution, copying, or storage of this message or any attachment is
strictly prohibited.

On 1/25/08 11:41 AM, "Kurt Buff" <kurt.buff@gmail.com> wrote:

> On Jan 24, 2008 1:41 PM, Albert R. Campa <abcampa@gmail.com> wrote:
>> We have some admins setting up some VMs on an ESX server and they have
>> the idea of setting up 1host server with multiple VMs and on some of
>> these VMs they want physical NICs connected to our main LAN and other
>> VMs they want physical wires connected to a DMZ lan.
>>
>> Normally this would be almost bridging the two networks and bad
>> practice overall. An explanation from an SA is that virtual switches
>> are used on the ESX host and this seperates the physical connection to
>> our main LAN and this DMZ lan.
>>
>> This does not sound like good practice but is there documentation to
>> back that up or in your experience have you been able to exploit this
>> type of configuration?
>
> As long as it is set up correctly I think this would be fine.
>
> However, part of "correctly", AFAIAC, is that both subnets are in the
> same security domain - that is, if one is trusted, the other must be
> as well. I would *never* put, for instance, a guest OS in a DMZ subnet
> if the other guests are in a trusted subnet.
>
> Kurt
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:22 EDT