[unisog] DMZ and Non DMZ using sharing VM infrastructure

Allen Mundt at Work allenatwork at sbcglobal.net
Thu Aug 6 11:21:44 GMT 2009

I will have to agree to the dangers of sharing a VM or any infrastructure.
Obviously, nothing in the security realm is iron-clad, but we have made it a
policy to never span across a security device with another device.  If you
have a firewall or an adaptive security appliance of some type, a server or
other networking device will be only on one interface.  If you start trying
to economize by placing servers in 2 places, you are then asking that
software to do what a firewall is supposed to do.


-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Paul FM
Sent: Wednesday, August 05, 2009 9:18 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] DMZ and Non DMZ using sharing VM infrastructure

You obviously didn't read the reason why this is bad.  There have been holes

in network virtualization as well.  Software has bugs - you won't get a 
software vendor to guarantee zero bugs.

"People" (Marketing droids) said unix was dead around the turn of the
(don't believe the Marketing dribble).  And the old Interstate 35W bridge
built to last 100 years  - it only made it to about 40 - it was certified as

safe the year before it collapsed (don't brush off warnings just because 
someone who knows the system says it is safe).

Stefan wrote:
> With virtualization extended into the network and storage layers,
> there are ways to secure while providing the flexibility VMotion-like
> processes require. Google for: nexus 1000v, nexus 7000, vdc, service
> solutions sandwiched between virtual aggregation domains, vrf, etc. We
> live in a world of having to accommodate active-active DCs across
> layer 2 boundaries ... hardware/specific host bound solutions are
> dying.
> On 8/5/09, Michael Holstein <michael.holstein at csuohio.edu> wrote:
>>> I am curious how others are handling the DMZ and non-DMZ VMs. Please
>>> let me know.
>> Not allowed. Period.
>> Here's just one example of why :
>> http://isc.sans.org/diary.html?storyid=6190
>> http://www.immunityinc.com/documentation/cloudburst-vista.html
>> We also apply the same "rule" to situations like Blade Centers .. you
>> don't get the DMZ vlans in the trunk to the chassis.
>> Cheers,
>> Michael Holstein
>> Cleveland State University
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
unisog mailing list
unisog at lists.dshield.org

More information about the unisog mailing list