Security Basics mailing list archives
Re: VMware ESX
From: "Eric Kollmann" <xnih13 () gmail com>
Date: Tue, 22 Apr 2008 10:52:24 -0600
There was a thread on this quite a few months back: http://www.derkeiler.com/Mailing-Lists/securityfocus/security-basics/2007-06/msg00083.html This was on VMWare Server vs ESX, 2 separate beasts, but may shed some light on what others have said on this in the past. A good writeup from VMware on ESX security is here: http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf So one argument is they compromise a host on the DMZ, next they have to compromise vmtools, next the vmm, and then maybe get back into the vmkernal. Ok, maybe possible, a lot of what ifs so far from what I've seen, but maybe possible. The idea that they can get back into the backend SAN, from the VM is probably not going to happen. I guess it could if you have the VM setup in such a way that it has access into the SAN to start with. But by default, it is setup as a vmdk file on that SAN, all interaction with that file is outside of the VM, the VM itself can't see the SAN, it only sees its file. Basically the VM knows nothing of the SAN, so not sure how one could access the SAN via the VM. One misconception is that ESX is a stripped down Linux. ESX is its own OS, it has a front end that interacts with ESX and that front end is a stripped down Linux. I believe 50%+ of the patches for ESX are actually patches to the Linux side of things. As mentioned by someone else ESX 3i gets rid of the Linux side of things, so one less avenue of attack there. But to attack the Service Console (the Linux side of things), you'd have to have access to the network that the SC resides on. Best practice would be to put the SC on a locked down network of its own, not accessible from the rest of your network, but only select machines. By doing this you'd mitigate most, if not all, SC vulnerabilities. Now what about vSwitches, VLAN tagging, etc. Supposedly the vSwitches are completely isolated. So the DMZ vSwitch has no access to the Private vSwitch or the other vSwitches. All traffic that is on the DMZ vSwitch may be able to be seen by someone who compromises a machine on your DMZ. By default Promiscuous mode for any nic is turned off when you setup the VM, but they could do ARP Poisoning or anything else that they could do on a physical server once they had access, maybe try VLAN hopping. How much they could see of what is flowing through the vSwitch with this attack I don't know. Now back to VLAN tagging. Do you want to run your DMZ traffic along with your other traffic. This goes back to how secure, or unsecure anyone can prove the vSwitches are. If you are worried that someone may be able to get from a vSwitch, through there, to the ESX host, to actually see all the traffic on the physical NIC, then separate out your DMZ traffic to a separate NIC at least. More on vSwitches and ESX networking concepts: http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf Vmotion issue, again network security and your initial infrastructure setup apply here: http://blog.scottlowe.org/2008/03/05/vmotion-and-vlan-security/ Again, this goes back to initial setup and best practices, how were they able to get to where they had access to the VMotion network in the first place? A writeup on many VMs out there with issues they found: http://taviso.decsystem.org/virtsec.pdf There are a lot of what ifs out there and it comes down to what is "secure enough" for you. If you want it 100% secure, unplug it from the network, otherwise someone will eventually, find a way into it. I know some companies have gone down the road of setting up a set of ESX hosts specifically for their DMZ, where others have theirs intermixed. To date I've not seen anything that would allow someone to compromise the VM and get to the Host or other isolated VMs from there, but as noted by others, it is software, so there may be bugs in it that have yet to be found that will eventually allow that. Again, it comes down to what is "secure enough" for your environment. Good luck.
Current thread:
- VMware ESX Paul Heywood (Apr 21)
- Re: VMware ESX Predrag (Apr 21)
- Re: VMware ESX Captain Quirk (Apr 21)
- RE: VMware ESX TVB NOC (Apr 21)
- Message not available
- Re: VMware ESX Tyler Reguly (Apr 22)
- RE: VMware ESX TVB NOC (Apr 22)
- RE: VMware ESX TVB NOC (Apr 21)
- <Possible follow-ups>
- Re: VMware ESX Robert Taylor (Apr 21)
- RE: VMware ESX Yahsodhan Deshpande (Apr 21)
- Re: VMware ESX Eric Kollmann (Apr 22)
