Re: Security question windows2003 on Lan and 2003/...

nielsenmichael · ‎02-28-2008

I have a security question.

I have one server running windows server 2003 sp2 using nic1 connected to my lan.

I am going to install a vitual windows XP/windows sever2003 on the same server using vmware workstation. The server is for FTP request and should be connected to my DMZ - my plan is to connect the NIC2 to the DMZ and setup the virtuel server to use NIC2(VMnetxx). The DMZ zone is using an DHCP server so by default the hosts NIC2 and the virtuel servers NIC2(Vmnetxx) will get ip-adresse in the same net and can reach each other by default, so my plan is to give host server a manually ip-adresse in a different net tha the virtuel server, so they can't reach each other. But is this solution secure enough since it is using the same physical NIC - just ip-net seperates them.

Texiwill · ‎02-28-2008

Hello,

In essence, I would not consider this secure for serveral reasons. The most prevalent is that even having a different IP address to take the system off the 'DMZ' network is not sufficient if it is wired into the DMZ network. So your NIC2 is still known by the DMZ by arp and mac address. It may not be able to see an IP for NIC2 as you changed that to be out of scope but the rest of the device is in scope. This is security by obscurity and just does not work very well.

I would keep NIC2 on the DMZ network and ensure that the Windows Firewall of the VMware Server is in very very good shape. YOu want to in essence deny all access to the Host from the DMZ, and also redirect ALL packets destined for the host for FTP to go to the Virtual machine.

VMware Server within a DMZ is only as secure as the host itself, so secure the HOST very well, put in place a packet filtering firewall on the Host side, deny all traffic but that destined for FTP and redirect all ftp traffic to the VM. DO NOT use vmhgfs (check out http://blogs.zdnet.com/security/?p=902). You have quite a bit of hardening work to do on the VMware Server host, and you should implement a good software firewall on the host as well.

While it is possible to harden/secure the VMware Server Host effectively, the cost and time it will take is very high. To this end, within a DMZ I tend to only use ESX and not VMware Server. ESX does not suffer from the same limitations.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

nielsenmichael · ‎02-28-2008

Thank you for quick reply..

You said you suggested to keep NIC2 on the DMZ but is it possible to just use this NIC2 by the virtualmachine and not by the host - the only way i figured it out was to enable the NIC2 on the host and bridge this from the vmware vitual machine, but with this solution both the host server and the virtual machine wil be active at the DMZ because it is using the same NIC2..

I am runnning vmware workstation is that a problem?

Texiwill · ‎02-29-2008

Hello,

You could try not enabling the 2nd NIC inside of windows. But that may not work. It is just not a very secure configuration for a DMZ. Workstation/VMware Server/Xen all have this same issue. The NICs in use are seen by the Host of the system and because of that, the host is on the DMZ network to some extent. The packets still go through the windows ip stack before going to the VM.

An answer is to firewall the NIC keeping anything destined for the HOST (via IP) from reaching it. While allowing through those things that are destined for the VM. Or redirect all traffic on the interface to the VM.

The best answer is to use ESX.