There are several companies that are trying to address this through the use of hypervisor security shunts. However even if this is not the case, over time someone will crack ESX (remember how secure Windows 2003 and XP were under Microsoft's secure computing initiative) and when this happens under the virtualization model we won't have additional technologies to provide security This is because virtualization bypasses all of the technologies (virtual servers, virtual OS, virtual switches, etc). This means that if virtualization is cracked the other layers can be bypassed. The issue with virtualization is that several of these layers become virtualized under one technology (e.g. This way if one layer fails the other layers provide different layers of protection. Available on Rough Cuts at īelow is what our security guy sent to me in an email the other day.īasically we subscribe to a defense in depth solution where we use multiple layers of security (using numerous different technologies) to achieve security. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. It is incredibly easy for an Administrator to move a VM from network to network and this way, the simple switch will not move a production machine onto the DMZ network.Įdward L. Even so, many people will say to put the DMZ servers on their own set of ESX Servers and that is actually safer. I would not use VLANs for DMZ and production on the same set of NICs.
2 pNICs for redundancy.ĭMZ Network for external hosts. If using iSCSI, a Service Console port must be able to reach this network. VMotion network consisiting of ONLY ESX Server vmkernel vMotion devices. Here is what I would do:Īdministrative network that contains service console for all ESX Servers and Virtualcenter and any administrative non production network and non DMZ network VMs. The networks should be segmented on physical boundaries when using a DMZ. It is possible to crash a VM however, and while that in itself is not necessarily a security problem it can be viewed as one.
It is not possible to do this through the vmkernel interfaces.
At the moment using a network connection is the only way to get to the host via the guest. do not make your ESX server a file server for your guests. Is there a way to get from the Guest to the Host? Actually there is, but it requires you to badly configure your ESX server.
0 kommentar(er)
