OutriderX
Contributor
Contributor

Guest VM security question

I am trying to implement VI3 into a classified environment. The setup will include 2 ESX servers (HA cluster) and a SAN.

Two virtual switches will be defined and connected to entirely different classified networks (but at the same classification levels). Since one of the networks is trying to protect proprietary information (it is actually an enclave of the other network), they are concerned about security.

The question is can someone from one network that is using a guest VM somehow get access to the other network, or worse the host O/S (ESX)? My understanding is that the virtual switches are isolated from one another. Oh, and let's assume that the console is defined to an isolated network on a dedicated interface.

I understand there was a recent vulnerability that exposes the host O/S, but as far as I can tell this does not impact ESX. Any known cases of a situation like this with ESX?

0 Kudos
1 Reply
Texiwill
Leadership
Leadership

Hello,

Two virtual switches will be defined and connected to entirely different classified networks (but at the same classification levels). Since one of the networks is trying to protect proprietary information (it is actually an enclave of the other network), they are concerned about security.

The question is can someone from one network that is using a guest VM somehow get access to the other network, or worse the host O/S (ESX)? My understanding is that the virtual switches are isolated from one another. Oh, and let's assume that the console is defined to an isolated network on a dedicated interface.

If you are NOT using VLANs then you should be safe as you will not be susceptible to encapsulation attacks depending on which VLANs are running on which wire. The only way for a VM not on the classified vSwitch to reach the classified vSwitch is if somehow the network is bridged somewhere either within a VM or external to the virtual network. However that is an act that will not happen without human intervention.

I understand there was a recent vulnerability that exposes the host O/S, but as far as I can tell this does not impact ESX. Any known cases of a situation like this with ESX?

There are a few vulnerabilities against VMware Server and Workstation, and a few against software installed on the SC, but nothing I know specifically against a vSwitch. If a VM is on the vSwitch and that VM has not been cleared for the classification level, it would be a hostile VM. Someone would have to place the VM on the vSwitch purposefully or accidentally to get this type of behavior however.

But remember anything you can do on a regular network you can pretty much do on a virtual network with a few exceptions. If for example you have VM bridge the networks then that VM must also be at the same classification level, etc.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos