VMware Cloud Community
dcoy
Contributor
Contributor

Bridged networking & data recovery from hosts

I have a question related to using bridged networking in a VMWare Workstation or VMServer (ESX) type environment with a host running Windows...

When using bridged networking, at any point does the data destined for the virtual machine touch the disk of the host machine? In other words, would it be possible to recover data from the host machine that was destined to the virtual machine using any type of disk/file recovery method on the host?

If not, how is the data passed from the host to the virtual client (via a ram memory buffer, directly from the network card buffer, etc)?

Reply
0 Kudos
3 Replies
Texiwill
Leadership
Leadership

Hello,

Well a few things. ESX is not the same as VMware Server. ESX or VI3 is its own OS unlike VMware Server and Workstation. So the discussion is more about Workstation and VMware Server. Both of these technologies use their own drivers to enable the bridge networking that you are using. To do this, they will use kernel memory buffers just like standard ethernet drivers. So can this data appear in the pagefile.sys? That is really the question. Kernel memory will not appear in pagefile.sys so the front end of the equation is perfectly fine. It is the user space aspects that could be risky. I believe that VMware Server and Workstation will use DMA to access the kernel buffer from the Workstation/Server and therefore data will not appear within the pagefile.sys of the Windows Host.

What does come into play however is the Windows Firewall and anything else on the Windows IP Stack of the host, which could include a packet sniffer.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
dcoy
Contributor
Contributor

Fist off, my fault on not being specific about version of VMWare; and you are correct, the question was geared towards Server/Workstation.

As far as the Windows firewall or packet sniffer on the host, I'm not all too concerned about that aspect, since access to the machine is limited. My concern was more around the ability to recover IP data destined to the VM from the host physical disk, which as you explained won't be possible.

Thanks for all the help.

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Note that the transfer from Kernel to User space is 'most likely' via DMA, but once in user space any data 'can' appear in the pagefile.sys. So in essence, Workstation and VMware Server are only as secure as the host upon which they run. If you look at Workstation/VMware Server from the Host perspective, there is a controlling program and many other programs representing each VM. On the host depending on memory usage and windows internals any of that memory in user space can appear in pagefile.sys. If you are overcommitting memory then I would hazzard that it will. If you are not then there is a chance it will depending on other settings.

The moral is to ensure that the Host is as secure as possible. Most external attacks happen over the wire, and once the hacker can get into the system they can install a root kit which happens to include a packet sniffer so if you are hacked, then the game is up anyways and the hacker does not need to inspect pagefile.sys at all. Inspecting pagefile.sys is not a trivial practice but is done as a part of forensics.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos