Hello,

I would first read http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf from VMware. As Wila stated there are no known escapes from VMs that work with VMware ESX or ESXi. However, there are several for Workstation that rely upon bad configurations to pull off.

There are several aspects to look at:

What would it take to escape the DMZ from the network? Using virtualization does not really change this very much except that with Workstation and Server there is no Layer 2 virtual switch so those products are more susceptible than ESX based VMs.

What would it take to escape the VM from within the VM? it is impossible to keep an application from detecting it is running from within a VM, so I would not even try. Yet, you need to make sure your ESX host is not also acting as a file server. This is the big possibility of attack. However, it a default configuration this is not allowed so its not a huge risk.

Which virtualization product are you concerned about?

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Hello,

At BlackHat several years ago, someone was able to perform a Directory Traversal attack against VMware Workstation with HGFS enabled. THat is the only known escape from any VMware product and it was soon fixed. Every 3-4 months this comes back as a 'new' issue when its not an issue at all.

Yes it is on going research, will it happen? Maybe... But it is not an issue today with out of the box ESX or ESXi.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

AH, I see that the sky is falling...

Virtual machine escape no vacation

Brian,

You just made my day with this reply. Of course I am all for world

peace, but never cared much for Elivis' music.

Thanks.

Flash

Edward,

I figured something like your explanation was the case. We are not

using any of the workstation or free server versions. We are a pure ESX

house. Thanks for the post. Now I have something to tell Chicken

Little.

Thanks again

Flash

lot

LoL

Hello,

I did read the article mentioned and while escaping the VM is theoretically possible, it is such a small risk that I would not be afraid to do so. As always your security is only as good as your vigilance.

So how would one escape a VM today? Via the Network, well that has always been the case, hence the need for good network security and segregation of critical networks (SC, VMotion, Storage) from the Virtual Machines.

Via the VMM? I have yet to see anything that will do this. The VMHGFS was actually a network based directory traversal style attack, so without ESX acting as a file server even that would not be the case and still would fall into the network category. Xen had a boot time escape possibility. But VMware never did have that. Could the backdoor be attacked? That is the first thing everyone thinks about, but it would at most crash the VM and not lead to an escape. The backdoor is tested six ways to sunday and everything new is tried. Could it be a bad driver? VMware has had those and at most the VM crashes. Again no escape.

So far no escapes.... I currently know people looking into timing based attacks, as well as others to somehow find out what the VMM is doing. This type of information leakage may lead to other things. Other than this I have not heard of anything that is being attempted or even that works.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Flashg,

If it gives you any confidence to virtualize your systems in DMZ, should of course read that guide from VMware as posted by Edward. I've been working for several financial corporations and security is the key and they have no problems virtualizing their critical internet facing in DMZ and it require extensive knowledge with virtualization and security in general. It requires collaboration of security, networking and virtualization engineer to sit and draw out a plan which best accomodate the project. Throughout our projects, the hardest part is to decide which model we want the dmz machines to be resides and how P2V process takes place.

With too much restrictions and regulations, doing P2V in DMZ is pretty tough especially port 445 & 139 would not be allow so using a laptop with external USB drive and do P2V conversion from there and import the VMs to ESX hosts seems to be the safest. Depends how you architect your solution things can be different.

You can neither join DMZ networks with existing production networks and that's not a pure 100% DMZ solution but it works and supported. If you have enough budget, deploy full virtualization in DMZ should be a way to go but remember to follow best practices to lockdown and put all SC/VMotion/Virtual Center in a management network and use standard CIS, DoD and Tripwire guides to secure your ESX hosts as well.

I have attached my basic diagram of previous client which can't be expose but you're welcome to feedback and it could be much better. It just a general idea how traffic flows but can't guarantee it work for your environment.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

Does anyone have any opinions regarding putting the SC and VMotion ports in the DMZ. I would like to put the SC in the inside network and some VM networks in the DMZ, but our securities team doesn't like the idea. What are your thoughts on this? What security precausions do you put on the SC when it is in the DMZ?

The best thing is to have the SC and Vmotion ports on their own dedicated network. It is not a good idea them sitting out in the public facing DMZ. If you cannot put them in the internal management LAN then I suggest you put them in a protected zone within your DMZ.

See the following paper for more details on the real risks behind virtualizing the DMZ and what your options are.

http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

Hello,

Does anyone have any opinions regarding putting the SC and VMotion ports in the DMZ. I would like to put the SC in the inside network and some VM networks in the DMZ, but our securities team doesn't like the idea. What are your thoughts on this? What security precausions do you put on the SC when it is in the DMZ?

Consider the SC the doors to the kingdom. You do not want to place it in a location that is constantly under attack. the DMZ is such a location. VMotion is even more dangerous as it passes the currently used memory of the VM across the wire in clear text. This contains credential information and other critical information.

If you place the SC and VMotion networks within your DMZ, please expect your systems to be under constant threat and hacked. This is a very very bad idea. As rrandell has stated, the SC and VMotion networks must be protected even if they are on a private segment. Your security folks are most likely concerned that the ESX host will become a bridge between security zones. Which tells me that they may not understand how the Layer 2 vSwitch really works.

I would start them with the http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf document and move on from there. I would also NOT implement VMware ESX within a DMZ until they fully understand the consequences as their suggestion is incredibly insecure.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

PLEASE DO NOT PUT YOUR SC TO DMZ NETWORK....secure it internally with dedicated management network. If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen iGeek Systems Inc. VMware, Citrix, Microsoft Consultant

Thanks for your feedback. I'll pass it on.