Solved

Can a DMZ Virtual Machine and an Internal Virtual Machine share the same host.

Posted on 2013-11-24
7
1,307 Views
Last Modified: 2013-11-25
Using Microsoft Server 2012 R2 hyper-v Virtual machines:

Assume a host server running Server2012R2, called HostA.

HostA has two NICs, and has two separate virtual switches, one on each NIC:
Switch1 on NIC1
Switch2 on NIC2

NIC1 is physically wired to a LAN port on the network firewall.
NIC2 is physically wired to a DMZ port on the network firewall.

Next, build 2 Virtual Machines: VM1 and VM2

VM1 has an IP address compatible with the internal LAN and is put on Switch1.
VM2 has a DMZ IP address and is put on Switch2.

Are these two virtual machines, VM1 and VM2, as completely separated from each other as if they were two physical machines with 2 physically distinct network cards?

In other words, and a DMZ VM and an internal VM share the same host if everything is properly configured, or is there some kind of risk I am not thinking of?

Thanks.
0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 70

Accepted Solution

by:
Qlemo earned 250 total points
ID: 39673001
The VMs should be isolated from each other in that configuration. There might be some exploits, but that is very unlikely, as the effort would be enormous to break the VM barrier. But since the Hyper-V VMs share some code, there is always a risk by getting one VM compromised. However, if you do not need to apply very high security measures, the config would get my ok.
0
 
LVL 1

Expert Comment

by:alexziv
ID: 39673004
they will be in a lan witct is made by your host machine, and they will see each other , try nmap on all, after you configure them, host and vm1/vm2
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 39673012
alexziv, that is nonsense. The virtual switches isolate VMs from each other, that is their purpose.
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 
LVL 1

Expert Comment

by:alexziv
ID: 39673018
sorry, reading fast
0
 
LVL 14

Assisted Solution

by:Ram Balachandran
Ram Balachandran earned 250 total points
ID: 39673021
The only way for VMs to talk to each other is through the network stack.  Therefore, if someone were to compromize your DMZ VM, they would have to use its internet connection to compromize your internal network.  In order to prevent someone from accessing your host from the DMZ, you'll want to configure Hyper-V so the virtual network is not available to the host and only to the VMs.  Also, you'll want to ensure that your management network is secure on the internal LAN.I would also suggest that if you are trying to implement a DMZ, take a look at Microsoft Forefront Threat Management Gateway / ISA.  This can be used to create an application publishing DMZ which sits behind your boundary firewall.

It is worth referring this

http://social.technet.microsoft.com/Forums/en-US/8032789f-c431-4af7-b56b-adf57ec241bc/hyperv-network-security

http://technet.microsoft.com/en-us/library/gg610642.aspx


link
0
 

Author Closing Comment

by:gateguard
ID: 39673046
Thanks!
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39675020
There are proved VM escape exploits.  It would be unwise to assume there are no undisclosed exploits in existence nor existing vulnerabilities which could be discovered and exploited in the future.  While existing (disclosed) exploits may be for alternate products, I would take the overall track record of Microsoft into consideration, as it pertains to software vulnerabilities.

One proven method of mitigation would be to properly deploy EMET.  Its my recommendation that this product be deployed on all Windows-based operating systems, as part of your defense-in-depth strategy, after throughout application compatibility testing.

EMET uses security mitigation technologies such as Data Execution Prevention (DEP), Mandatory Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP), Export Address Table Access Filtering (EAF), Anti-ROP, and SSL/TLS Certificate Trust Pinning, to help protect computer systems from new or undiscovered threats. EMET can also protect legacy applications or third party line of business applications where you do not have access to the source code.

That said-- considering the complexity involved-- I would agree that the most likely attack vector would be through the network stack.

Best defense-in-depth security practices however would call for physical isolation.  At the end of the day its all about risk.  Consider the value of the data you are protecting vs. the cost to protect that data.  Qualitative/Quantitative risk assessment is a good starting point.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IP Address white listing in Windows Firewall 5 63
Activate Windows Server 2016 CAL on Windows Server 2012 7 110
dpm 2012 r2 3 22
Ransomware case 23 103
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question