Re: ESX Vmware Physically connected to different segments

From: Kurt Buff (kurt.buff@gmail.com)
Date: Mon Jan 28 2008 - 13:43:05 EST

• Next message: Uninformed Journal: "Uninformed Journal Release Announcement: Volume 9"
• Previous message: Wozny, Scott: "RE: Oracle password cracker"
• In reply to: Loupe, Jeffrey J: "RE: ESX Vmware Physically connected to different segments"
• Next in thread: David M. Zendzian: "Re: ESX Vmware Physically connected to different segments"
• Reply: David M. Zendzian: "Re: ESX Vmware Physically connected to different segments"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Even if everything is configured properly, mixing security domains in
a virtual hosting is a capital mistake.

That's because the underlying host is also vulnerable, and attacks
against a guest OS in an untrusted domain can be leveraged against the
host, and from there *all* guest OSes are toast, or near to it.

Don't do it, ever.

Kurt

On Jan 28, 2008 5:08 AM, Loupe, Jeffrey J <JLoupe@whitneybank.com> wrote:
>
> If everything is setup properly this configuration should be secure. The
> problem comes with misconfiguration. It's exceedingly easy for a
> careless admin to connect a vNic to the wrong vSwitch and allow traffic
> meant for the DMZ onto the trusted network. In general we disallow this
> practice unless only one or two trusted admins have control of the box.
> Even then, we audit the configuration frequently.
>
> -J
>
> ________________________________________________________________
>
> Confidentiality Notice:
>
> This E-Mail transmission (and/or the documents accompanying it)
> may contain information belonging to the sender which is
> confidential, privileged and/or exempt from disclosure under
> applicable law. The information is intended only for the use
> of the individual(s) or entity named above. If you are not
> the intended recipient, you are hereby notified that any
> disclosure, copying, distribution or the taking of any action
> in reliance on the contents of this information is strictly
> prohibited. If you have received this E-Mail transmission
> in error, please immediately notify us by return E-Mail or
> telephone to arrange for return of its contents including any
> documents.
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Uninformed Journal: "Uninformed Journal Release Announcement: Volume 9"
• Previous message: Wozny, Scott: "RE: Oracle password cracker"
• In reply to: Loupe, Jeffrey J: "RE: ESX Vmware Physically connected to different segments"
• Next in thread: David M. Zendzian: "Re: ESX Vmware Physically connected to different segments"
• Reply: David M. Zendzian: "Re: ESX Vmware Physically connected to different segments"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:22 EDT