From: Enno Rey (erey@ernw.de)
Date: Fri Jan 25 2008 - 15:31:22 EST
Hi,
> > back that up or in your experience have you been able to exploit this
> > type of configuration?
>
> As long as it is set up correctly I think this would be fine.
>
> However, part of "correctly", AFAIAC, is that both subnets are in the
> same security domain - that is, if one is trusted, the other must be
> as well.
but then... why should you segment at all... if the "security level" of the instances is the same?
the basis for segmentation (if not required per se per architecture guidance) usually is either different protection needs, different threat exposure or both.
if none of those applies no need to segment.
if one of those applies putting a trust boundary on a system like ESX which has so many flaws and weaknesses as for memory isolation/protection and stuff might be a bad idea...
my 0.02
thanks,
Enno
-- Enno Rey Check out www.troopers08.org! ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:22 EDT