I was sitting in a presentation where I was told it is ok to have a physical box (virtualized into two) where one resides in the DMZ zone and the other resides in the secured zone.
I found that such an approach smells bad.
Is there any production environment that uses such an approach. I don't have a lot of experience in this space (Virtualization) but I always believed that virtualization would always be used only in one zone (for e.g the Secured Zone)
Any ideas or thoughts?
Thanks, Manglu
This is approximately the same debate as the one about dedicating entire switches to a network segment, or using VLANs. It really boils down to your comfort level and any surrounding rules, regulations or politics in your particular business. There's always the risk of an elevation exploit within a VM that allows it to 'exit the matrix' and mess with the host system. To date the number of those has been few and the impact minimal.
VMWare's position on this kind of thing is:
The truth is, vulnerabilities and exploits will never completely go away for any enterprise software, but ESX has been remarkably resistant to such issues. If it happens again, we'll find the problem and fix it quickly, as we did for CVE-2009-1244.
My take on this is that running VMs from different network segments on the same hosts is acceptable. I tend to draw the line by dedicating separate physical NIC links and vSwitches for the major zones (a pair of NICs for 'Front Zone' DMZ traffic, and a pair for 'Back Zone' internal traffic). This is matched up with the interfaces hanging off the core firewall so if you have an interface on the firewall dedicated for a particular set of VLANs, you have that same group on a vSwitch in the virtual environment.
As a general rationale, I'm taking a lesson from cloud computing on this one - Many people are comfortable placing workloads, even sensitive ones, into compute clouds like amazon ec2. If you're comfortable with that scenario for the workload in question, why wouldn't you be comfortable with it within your own system? Out in the cloud your client data workloads could be executing right alongside any number of unknown third party's workloads. Within your own system it's always going to be far more controlled than that scenario.
So that's the security take. Ignoring security for a moment, the other big issues are probably around your consolidation ratios, costs and the efficiency of your system. If you're a small to medium shop with only a few hosts, you're going to bite some extra costs by purchasing additional hosts and the surrounding extras (rack space, implementation time, ongoing op costs, licensing costs). If you already have the capacity so that you can run all of your workloads on your existing infrastructure, purchasing additional kit to implement physical separation seems unjustifiable. If you're a big virtual shop, though, the costs involved are probably less significant - You can just take the hosts, licenses and supporting entities that you already own and maintain, and split off a portion of them to run your separate network segments.
I've had real-world experience of pretty much this exact issue not too long ago. For a client project, it was decided that everything needed to be run on physically segregated equipment away from the existing infrastructure. It's proven expensive and problematic to maintain and monitor, and if we were doing it over again I'd stamp my foot to have it hosted within the core infrastructure with appropriate VLAN isolation. We really didn't gain anything beyond perhaps making some non-technical folks happy (which is often important!)
There's no final answer to this question, it depends on your own policies and personal security opinions. Certainly if you speak to Cisco, VMWare or Microsoft about their Nexus/ESX/Hyper-V products they'll say that they're happy that their products will be secure enough to do this if configured properly - they will not however leap into signing that away as a risk.
Of course it depends on the content and the importance of that content to your business too. Personally I have DMZ hosts, internal hosts and secure hosts - but I'm lucky, I have the budget for that and it allows me to sleep very easily (unless kicked in the night by MrsChopper3 of course).
If you want to do this because your business won't pay for dedicated tier hosts then I'd personally feel reasonably happy with the security included in the hypervisor's virtual switches but to protect yourself I'd make sure you document this risk to your management and make it clear that it's a budgetary compromise.
Hope this helps.
In my opinion i think this is the better solution.
Internet - Cisco Firewall - DMZ - Cisco router - Company network
