We do instal vnmware tools in our dmz guests.
You can limit what you install with the tools i/e no shared folders etc/
Why install. The repsonse is better for video the nic drivers etc. baloon driver. You also will be able to view performance counters with the tools installed.You can alway just copy the video and nic drivers into a guest and install them
Moved to the Security and Compliance Forum.
Some of my colleagues are very wary of installing vmware tools on these dmz machines, as they could be a vulnerability.
I would first read through the Top Virtualization Links: ESX/ESXi for reference material on setting a DMZ.
Also the amount of guests running on the DMZ ESX won't be a great deal, so I don't think there will be any need for any of the funky memory ballooning/management stuff.
I thought the same, but if the ESX host ever does get overloaded or you need to overcommit VMs due to other issues, they will be invaluable. Balloon drivers are NOT a risk, the vmkernel zeros all memory assigned to VMs from any source.
1: How is everyone else doing this:
I install VMware Tools but change permissions so only an Administrator can access them.
2: Is it possible to compromise a guest, and then work your way back to ESX? I didn't think it was...
No. You can access the VMware Backdoor from within the VM and maybe get one or two bits of information, by design, from the host but nothing critical. Follow the guidelines in the VMware Hardening Guideline to limit access to the backdoor and use UAC or SELinux to deny access to the kernel device port from non-administrators.
3: Give me some good reasons to install vmware tools in the DMZ (please!)
You need VMware Tools in order to stop some VMs from within the VIC. If you do not have them, then normal power on/power off operations tend to fail. In addition, you can use VMware Tools to 'quiesce' the disk before backups, which make backups slightly cleaner. In addition, the best performance for networking often comes with a VMware Tools network driver.
VMware Tools are not a huge security risk. There is no way to use VMware Tools or the VMware Backdoor to Escape the VM. BTW, even without VMware Tools, the backdoor is STILL available, so you will need to still secure the VM.
Edward L. Haletky
VMware Communities User Moderator
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links
That's great, thanks for your replies.
Texiwill, thanks again for your input. You have a wealth of knowledge, and it's much appreciated!
When I am suggesting ways forward in my current postion, I tend to get cornered by three to four people, baying for blood! They still don't trust virtualization, so sometimes I need some more info to go back to them with, to disprove their theories, or prove mine.
When does it get easier?!
1 person found this helpful
It gets easier when they realize that if configured correctly they are just as secure as when they were their own physical boxes. As long as your networking side of things is down hard I really don't see any greater risk in virtualizing a DMZ server than if it was a physical box. Along with all the VM side of things that Ed said (which he is hands down the most knowledgable about security in vmware), we keep our DMZ server physically seperated on their own physical NICs to their own physical switches which don't touch the production network. There have been no known cases of anyone able to jump from vswitch to vswitch inside of ESX, and if the information is going out physically different network cards to physically different switches there is no chance for bleeding into your internal production network.
Thanks for all your comments guys, it's much appreciated.