gateguard
asked on
Can a DMZ Virtual Machine and an Internal Virtual Machine share the same host.
Using Microsoft Server 2012 R2 hyper-v Virtual machines:
Assume a host server running Server2012R2, called HostA.
HostA has two NICs, and has two separate virtual switches, one on each NIC:
Switch1 on NIC1
Switch2 on NIC2
NIC1 is physically wired to a LAN port on the network firewall.
NIC2 is physically wired to a DMZ port on the network firewall.
Next, build 2 Virtual Machines: VM1 and VM2
VM1 has an IP address compatible with the internal LAN and is put on Switch1.
VM2 has a DMZ IP address and is put on Switch2.
Are these two virtual machines, VM1 and VM2, as completely separated from each other as if they were two physical machines with 2 physically distinct network cards?
In other words, and a DMZ VM and an internal VM share the same host if everything is properly configured, or is there some kind of risk I am not thinking of?
Thanks.
Assume a host server running Server2012R2, called HostA.
HostA has two NICs, and has two separate virtual switches, one on each NIC:
Switch1 on NIC1
Switch2 on NIC2
NIC1 is physically wired to a LAN port on the network firewall.
NIC2 is physically wired to a DMZ port on the network firewall.
Next, build 2 Virtual Machines: VM1 and VM2
VM1 has an IP address compatible with the internal LAN and is put on Switch1.
VM2 has a DMZ IP address and is put on Switch2.
Are these two virtual machines, VM1 and VM2, as completely separated from each other as if they were two physical machines with 2 physically distinct network cards?
In other words, and a DMZ VM and an internal VM share the same host if everything is properly configured, or is there some kind of risk I am not thinking of?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
they will be in a lan witct is made by your host machine, and they will see each other , try nmap on all, after you configure them, host and vm1/vm2
alexziv, that is nonsense. The virtual switches isolate VMs from each other, that is their purpose.
sorry, reading fast
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks!
There are proved VM escape exploits. It would be unwise to assume there are no undisclosed exploits in existence nor existing vulnerabilities which could be discovered and exploited in the future. While existing (disclosed) exploits may be for alternate products, I would take the overall track record of Microsoft into consideration, as it pertains to software vulnerabilities.
One proven method of mitigation would be to properly deploy EMET. Its my recommendation that this product be deployed on all Windows-based operating systems, as part of your defense-in-depth strategy, after throughout application compatibility testing.
That said-- considering the complexity involved-- I would agree that the most likely attack vector would be through the network stack.
Best defense-in-depth security practices however would call for physical isolation. At the end of the day its all about risk. Consider the value of the data you are protecting vs. the cost to protect that data. Qualitative/Quantitative risk assessment is a good starting point.
One proven method of mitigation would be to properly deploy EMET. Its my recommendation that this product be deployed on all Windows-based operating systems, as part of your defense-in-depth strategy, after throughout application compatibility testing.
EMET uses security mitigation technologies such as Data Execution Prevention (DEP), Mandatory Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP), Export Address Table Access Filtering (EAF), Anti-ROP, and SSL/TLS Certificate Trust Pinning, to help protect computer systems from new or undiscovered threats. EMET can also protect legacy applications or third party line of business applications where you do not have access to the source code.
That said-- considering the complexity involved-- I would agree that the most likely attack vector would be through the network stack.
Best defense-in-depth security practices however would call for physical isolation. At the end of the day its all about risk. Consider the value of the data you are protecting vs. the cost to protect that data. Qualitative/Quantitative risk assessment is a good starting point.