VMware

This Question is Possibly Answered

1 "correct" answer available (10 pts)
12 Replies Last post: Nov 9, 2007 9:01 AM by Charu  

LUN Jumping on the same SAN using ESX3 posted: Nov 2, 2007 9:36 AM

Click to view reza666's profile Novice
reza666
5 posts since
Nov 2, 2007

Hi guys,

I have SAN having different NICs and LUNs.
I am connecting Public DMZ and Intranet Servers running on ESX3 to the same SAN located in Intranet using dedicated LUNs and NICs for both DMZ and Intranet.
The question is here:
can some one coming from DMZ (Internet) jump to the Intranet LUNs and access the data?
Thx
Reza666

Re: LUN Jumping on the same SAN using ESX3

1. Nov 2, 2007 9:40 AM in response to: reza666
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

Assuming all your VMs on the vSwitches are single homed then there is no way within the virtual world for this to happen, however, standard networking does apply here, if you have a bridge, router, gateway between the DMZ and intranet then that does offer a possibility, If you have multihomed VMs, then you also have a mechanism for this.

Outside of standard Networking issues, there is nothing within the Virtual world that would allow a 'jump'

Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Re: LUN Jumping on the same SAN using ESX3

2. Nov 5, 2007 12:28 AM in response to: Texiwill
Click to view reza666's profile Novice
reza666
5 posts since
Nov 2, 2007

Hi, Thx for prompt answer.

In the networking area, you can jump from one VLAN on the others using some hacking technology, which is called 'VLAN Jumping'.

Does this mean, we might be able to jump from one VM to the other one on the switch level like VLAN Jumping bei networking on the Switch?

Regards.

Reza

Re: LUN Jumping on the same SAN using ESX3

3. Nov 5, 2007 4:58 AM in response to: reza666
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

If you can set your vNIC to promiscuous mode then anything is possible on the vSwitch (this is why this is disallowed by default). If you can do VLAN jumping on the physical switch then there is nothing you can do on the virtual switch to prevent that. I have not tested if VLAN jumping is possible on the vSwitch but I do not know anything that precludes that.

Your use of separate hardware devices is the safest approach when trying to split out traffic, this forces the use of separate vSwitches and even if you could do VLAN Jumping you can not jump from vSwitch to vSwitch. I only use VLANs in a low port density situations for critical services (SC, vMotion, DMZ, Production, Storage) as I prefer the physical separation. The other option for using VLANs is when I have more than one network for those major categories of networks.

Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Re: LUN Jumping on the same SAN using ESX3

4. Nov 5, 2007 7:13 AM in response to: Texiwill
Click to view reza666's profile Novice
reza666
5 posts since
Nov 2, 2007

cool, thx

for me is the big question about securing the environment using one vSwitch for Man In the Middel Attack, Arp Spoofing, Arp flooding,...,...

well I need to test all of these technologies to find out the reaction of VM.

Regards.

Re: LUN Jumping on the same SAN using ESX3

5. Nov 5, 2007 7:45 AM in response to: reza666
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

If you have only 1 vSwitch and you allow Promiscuous mode vNICs on this vSwitch (which is NOT the default) then yes, ARP Cache Poisoning and anything related to that is possible. As for Spoofing, Mac Address and IP Address spoofing is enabled by default, if you disable them then it will NOT be possible to do this on a vSwitch. You really need to use More than one vSwitch for full security.

Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Re: LUN Jumping on the same SAN using ESX3

6. Nov 5, 2007 8:35 AM in response to: reza666
Click to view esiebert7625's profile Guru
esiebert7625
6,794 posts since
Oct 23, 2006
VMware wrote a white paper on this in response to an article where the security issues where raised.

Vmware's ticking storage time bomb - http://www.techworld.com/opsys/features/index.cfm?fuseaction=displayfeatures&featureid=2257&page=1&pagepos=1


Vmware ESX Server - Providing LUN Security - http://www.vmware.com/pdf/esx_lun_security.pdf

Also some more good security reads...

Security Design of the Vmware Infrastructure 3 Architecture - http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf
Vmware Infrastructure 3 Security Hardening - http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf
VI3 Securing and Monitoring - http://download3.vmware.com/vmworld/2006/labs2006/vmworld.06.lab05-SECURITY-MANUAL-APPENDIX.pdf
ESX Security White Paper - http://www.vmware.com/pdf/esx2_security.pdf


-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
Thanks, Eric
Visit my website: http://vmware-land.com
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-

Re: LUN Jumping on the same SAN using ESX3

7. Nov 5, 2007 9:47 AM in response to: esiebert7625
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

Interesting read. It does explain a few things, and would you not have to expose the FC-HBA to the VM or something to get an N-Port Virtualization? Which does not currently happen...

Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Re: LUN Jumping on the same SAN using ESX3

8. Nov 6, 2007 6:57 AM in response to: Texiwill
Click to view Michael Allums's profile Novice
Michael Allums
20 posts since
Mar 26, 2007
That's a good point Texiwill. I am curious, how would a VM see an HBA anyway? HD space is allocated through ESX which "should" make the HBA invisible to Windows....right?

Re: LUN Jumping on the same SAN using ESX3

9. Nov 6, 2007 10:42 AM in response to: Michael Allums
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

It is invisible to the VM in normal circumstances, however perhaps with an RDM some of the FC floats up to the VM? I have not investigated that and would like more commentary from VMware on the subject.

Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Re: LUN Jumping on the same SAN using ESX3

10. Nov 9, 2007 6:56 AM in response to: Texiwill
Click to view reza666's profile Novice
reza666
5 posts since
Nov 2, 2007

Hi, Please see attched file.

By installing each physical NIC adapter on the ESX you will automaticaly get a vSwitch attached to.

By 3 physical NICs you have 3 vSwitch.

I am not sure if all vSwitches are really isolated from each other, as all of the are running on the vSwitch Layer.

Any Idea?

Thx


Attachments:

Re: LUN Jumping on the same SAN using ESX3

11. Nov 9, 2007 7:51 AM in response to: reza666
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

By installing each physical NIC adapter on the ESX you will automaticaly get a vSwitch attached to.

Not always you need to create them yourself.

By 3 physical NICs you have 3 vSwitch.

Yes you created three vSwitches.

I am not sure if all vSwitches are really isolated from each other, as all of the are running on the vSwitch Layer.

Yes they are separate from each other in the vSwitch layer but from a network perspective they may not be, that depends on if you bridge between the vSwitches somewhere with a multihomed VM, bridge, router, gateway, etc. Or if the physical side has some bridging.

Note this vSwitches also have no redundancy.

Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Re: LUN Jumping on the same SAN using ESX3

12. Nov 9, 2007 9:01 AM in response to: Texiwill
Click to view Charu's profile Enthusiast
Charu
18 posts since
Jun 15, 2006

More information on vSwitches may be found in the VMware Virtual Networking Concepts paper: http://www.vmware.com/resources/techresources/997


Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities