Whitepaper: DMZ Virtualization with VMware Infrastructure

Vendors & Products >
- Radar
  The Virtualization Industry Radar is the virtualization.info database tracking over 80 virtualization vendors and more than 100 products.
- Roadmap
  The Virtualization Industry Roadmap tracks the past and upcoming releases for all the virtualization products listed on the Radar.
- Buyer's Guide
  The virtualization.info Buyer's Guide compares the feature-set of several products in the same market segment.
- Reviews
  The virtualization.info Review Center publishes extensive and unbiased analysis of enterprise virtualization products.
Market Trends >
- Challenges
  The Virtualization Industry Challenges report tracks the top 10 issues when embracing virtualization.
- Predictions
  The Virtualization Industry Predictions tracks all the forecasts of the leading analysis firms about the virtualization market for the next 5-10 years.
Resources >
- Webcasts
  The virtualization.info video library collects webcasts from the industry vendors about several virtualization topics.
- Interviews
  Unplugged discussions with virtualization leaders.
Services >
- Rent-A-Lab
  Rent-A-Lab is an on-demand data center that virtualization professionals can rent and access remotely.
- Job Board
  The virtualization.info's Job Board is the place to go when looking for a new cool job in the virtualization industry.
- Bookstore
  The virtualization.info's Bookstore allows to browse and buy any English book about virtualization technologies. Powered by Amazon.
Get Together >
- Vanguards Community
  The virtualization.info Vanguards network connects over 2000 vitualization professionals across the globe.
- Virtualization Congress
  The Virtualization Congress is the virtualization.info's independent conference about application, OS and hardware virtualization.

日本語

Whitepaper: DMZ Virtualization with VMware Infrastructure

Posted by Alessandro Perilli | Monday, June 30, 2008 | 2 Comments

The virtualization of the most exposed part of any infrastructure, the DMZ, is something inevitable. And sooner or later a vendor had to cover the topic.
VMware is the first, with a new 9-pages best practice paper.

There nothing bad in virtualizing the DMZ as long as we are fully aware of the risks.
One of the biggest security risk in virtualization is mixing together virtual machines at different risk levels. But this is one of the first and most frequent mistake that a company may do, because any virtualization professional approaches the workloads consolidation looking at the performance and at the maximum usage of the physical resources, not looking at security levels.

And this is done for several reasons: the company is not really doesn't perceive yet a concrete risk in virtualizing its infrastructure so it just aims at maximum ROI, the virtualization professional may not know enough about security or simply he doesn't care.

The VMware paper is a perfect example to clarify this point.
It presents three different approaches to virtualize a complex DMZ with three screened subnets: the first recommends a separate virtualization host for each segment and it's clearly more expensive, while the other two suggest the consolidation of multiple segments in the same virtualization host.

These last two approaches should be avoided at all costs because they imply the inviolability of the hypervisor (at any level: from the virtual networking to the kernel) something that nor VMware neither any other virtualization vendor can grant.

Bookmark & share this article | Email this article

| Subscribe to virtualization.info

2 Comments

DCS Monday, June 30, 2008 4:20:00 PM

I think you're overstating the risks by saying the virtual segmentation of trust zones should be avoided at all costs. The last two scenarios will provide a good balance of cost and security for many environments, especially when redundant hardware and network infrastructure requirements multiply the price of infrastructure. I was running VM's at a production site for over a year in the 2nd arrangement and I'll do it again at my current job. Of course, the hypervisor isn't perfect, but VM's are highly isolated in VMWare ESX. You might as well say 'Never mix VLAN's with different security levels on the same physical switch.' You can take that approach, it's safer, but more expensive to build and maintain -- it's not absolutely better in all circumstances.

Osama Thursday, July 03, 2008 5:57:00 AM

when you say:
"These last two approaches should be avoided at all costs because they imply the inviolability of the hypervisor (at any level: from the virtual networking to the kernel) something that nor VMware neither any other virtualization vendor can grant."

One could equally argue that no firewall vendor will guarantee that their product is "perfect" and won't compromise the infrastructure relying on it's protection.
Actually all vendors in their licensing agreements pretty much say that they don't guarantee anything.
The only difference is that firewalls have been around for much longer than virtual infrastructures and thus have been exposed for quite sometime and subsequently have been improved and hardened by time and exposure.

You can prove that something is secure only by failing to break it and virtual infrastructure hasn't been exposed long enough to experts "hackers" to show how resilient it is to attacks.

To avoid the last two options at "all costs" does not make sense. "cost" is a trade off we make when thinking about security and for some people it might be just worthwhile to take the risk and proceed with the two scenarios you suggest to ignore. Everyone has a different level of risk tolerance.

Osama Salah

Add New Comment

virtualization.info Editions: 日本語 | iPhone™
virtualization.info Network: virtualization.info | virtualization.tv | Virtualization Congress

virtualization.info