Today I got into a heated discussion with a “Virtualization Expert” at Gartner today about the risks associated with virtualizing your DMZ, primarily into the same environment as your non-DMZ servers.
As you can see in my diagram below, this is my plan; Create a completely isolated vSwitch with dedicated NICs for my DMZ portgroup, which is separated from the vSwitch that contains my Service Console, VMKernel and other Virtual Machine portgroup.
[singlepic id=”46” w=”320” h=”240” mode=”watermark” float=”center” ]
The discussion I got into this afternoon was that this was still a security risk, and presented a vulnerability to potentially all my other Virtual Machines on the host. Frankly, I just don’t see it. The only risk I could potentially ever see is if one of the guests in the DMZ portgroup was compromised, it could potentially affect other systems within that vSwitch — there should be no way it could cross talk to the other portgroups on other vSwitches in this system. Right? The Gartner engineer kept bringing up how someone could attack that vSwitch and gain access to the system to compromise it…then he kept giving examples about how this happened in Hyper-V (which has nothing to do with ESX).
So, I’m leaving this open…what is your opinion? Regardless of Intrusion Protection Systems and Intrusion Detection Systems and Firewalls, etc. — How strong is a vSwitch? Can someone that hacks a guest within an isolated vSwitch (one with no Service Console on it) gain access to your host?
Are these so-called Experts at firms like Gartner and Forrester really Experts?
You tell me….