5 Replies Latest reply on Jan 7, 2009 4:42 AM by gr1pp3rjay

    Security in the DMZ / VMware Tools

    gr1pp3rjay Enthusiast

       

      Hi all.

       

       

      We're shortly going to be virtualizing our UAT and Production kit, and some of this will sit in the DMZ.

       

       

      Some of my colleagues are very wary of installing vmware tools on these dmz machines, as they could be a vulnerability.

       

       

      Also the amount of guests running on the DMZ ESX won't be a great deal, so I don't think there will be any need for any of the funky memory ballooning/management stuff.

       

       

      So my question is three fold:

       

       

      1: How is everyone else doing this:

       

       

      2: Is it possible to compromise a guest, and then work your way back to ESX? I didn't think it was...

       

       

      3: Give me some good reasons to install vmware tools in the DMZ (please!)

       

       

      I'll be very interested in the replies!

       

       

       

       

       

      Cheers.

       

       

      j

       

       

         

       

       

       

       

       

        • 1. Re: Security in the DMZ / VMware Tools
          bggb29 Expert

           

          We do instal vnmware tools in our dmz guests.

           

           

          You can limit what you install with the tools i/e no shared folders etc/

           

           

           

           

           

          Why install. The repsonse is better for video the nic drivers etc. baloon driver. You also will be able to view performance counters with the tools installed.You can alway just copy the video and nic drivers into a guest and install them

           

           

          • 2. Re: Security in the DMZ / VMware Tools
            Texiwill Guru
            vExpertUser Moderators

            Hello,

             

            Moved to the Security and Compliance Forum.

             

            Some of my colleagues are very wary of installing vmware tools on these dmz machines, as they could be a vulnerability.

             

            I would first read through the Top Virtualization Links: ESX/ESXi for reference material on setting a DMZ.

             

            Also the amount of guests running on the DMZ ESX won't be a great deal, so I don't think there will be any need for any of the funky memory ballooning/management stuff.

             

            I thought the same, but if the ESX host ever does get overloaded or you need to overcommit VMs due to other issues, they will be invaluable. Balloon drivers are NOT a risk, the vmkernel zeros all memory assigned to VMs from any source.

             

            1: How is everyone else doing this:

             

            I install VMware Tools but change permissions so only an Administrator can access them.

             

            2: Is it possible to compromise a guest, and then work your way back to ESX? I didn't think it was...

            No. You can access the VMware Backdoor from within the VM and maybe get one or two bits of information, by design, from the host but nothing critical. Follow the guidelines in the VMware Hardening Guideline to limit access to the backdoor and use UAC or SELinux to deny access to the kernel device port from non-administrators.

             

            3: Give me some good reasons to install vmware tools in the DMZ (please!)

            You need VMware Tools in order to stop some VMs from within the VIC. If you do not have them, then normal power on/power off operations tend to fail. In addition, you can use VMware Tools to 'quiesce' the disk before backups, which make backups slightly cleaner. In addition, the best performance for networking often comes with a VMware Tools network driver.

             

            VMware Tools are not a huge security risk. There is no way to use VMware Tools or the VMware Backdoor to Escape the VM. BTW, even without VMware Tools, the backdoor is STILL available, so you will need to still secure the VM.

             


            Best regards,

            Edward L. Haletky

            VMware Communities User Moderator

            ====

            Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

            Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

            Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

            1 person found this helpful
            • 3. Re: Security in the DMZ / VMware Tools
              gr1pp3rjay Enthusiast

               

              That's great, thanks for your replies.

               

               

              Texiwill, thanks again for your input. You have a wealth of knowledge, and it's much appreciated!

               

               

              When I am suggesting ways forward in my current postion, I tend to get cornered by three to four people, baying for blood! They still don't trust virtualization, so sometimes I need some more info to go back to them with, to disprove their theories, or prove mine.

               

               

              When does it get easier?! 

               

               

              Thanks again.

               

               

               

               

               

              j

               

               

              • 4. Re: Security in the DMZ / VMware Tools
                khughes Virtuoso

                It gets easier when they realize that if configured correctly they are just as secure as when they were their own physical boxes.  As long as your networking side of things is down hard I really don't see any greater risk in virtualizing a DMZ server than if it was a physical box.  Along with all the VM side of things that Ed said (which he is hands down the most knowledgable about security in vmware), we keep our DMZ server physically seperated on their own physical NICs to their own physical switches which don't touch the production network.  There have been no known cases of anyone able to jump from vswitch to vswitch inside of ESX, and if the information is going out physically different network cards to physically different switches there is no chance for bleeding into your internal production network.

                 

                 

                 

                • Kyle

                 

                1 person found this helpful
                • 5. Re: Security in the DMZ / VMware Tools
                  gr1pp3rjay Enthusiast

                   

                  Thanks for all your comments guys, it's much appreciated.