Comments on: Storage Time Bomb? http://blog.scottlowe.org/2007/02/21/storage-time-bomb/ The weblog of an IT pro specializing in virtualization, storage, and servers Tue, 07 Feb 2012 13:34:34 +0000 hourly 1 http://wordpress.org/?v= By: slowe http://blog.scottlowe.org/2007/02/21/storage-time-bomb/comment-page-1/#comment-30171 slowe Sat, 03 Mar 2007 14:49:44 +0000 http://blog.scottlowe.org/?p=417#comment-30171 J.Cruz, I suppose that is a possibility, but even then you have a VMDK involved, and that VMDK is associated with a LUN ID (the VMDK in this case just stores metadata, not real data). If that is the case, you don't even need a DRS/HA cluster to be vulnerable--remember that simple VMotion requires access to the back-end SAN LUN as well. I'll have to dig into RDMs a bit more to see if you could be right. Any RDM experts want to chime in here? J.Cruz,

I suppose that is a possibility, but even then you have a VMDK involved, and that VMDK is associated with a LUN ID (the VMDK in this case just stores metadata, not real data). If that is the case, you don’t even need a DRS/HA cluster to be vulnerable–remember that simple VMotion requires access to the back-end SAN LUN as well.

I’ll have to dig into RDMs a bit more to see if you could be right. Any RDM experts want to chime in here?

]]> By: J.Cruz http://blog.scottlowe.org/2007/02/21/storage-time-bomb/comment-page-1/#comment-29864 J.Cruz Fri, 02 Mar 2007 14:45:51 +0000 http://blog.scottlowe.org/?p=417#comment-29864 Hey, Scott. The only thing I can think of is that they are referring to Raw Device Mappings, which bypasses the virtualization layer. Is it possible to another host inyour ESX Farm that shares the same LUN mappings as the one that hosts your VM-with-RDM, to be compromised, and another VM-with-RDM brought online with those same RDMs and then, bam, you've got access to the SAN LUNs you shouldn't have? Hey, Scott. The only thing I can think of is that they are referring to Raw Device Mappings, which bypasses the virtualization layer. Is it possible to another host inyour ESX Farm that shares the same LUN mappings as the one that hosts your VM-with-RDM, to be compromised, and another VM-with-RDM brought online with those same RDMs and then, bam, you’ve got access to the SAN LUNs you shouldn’t have?

]]> By: J.Cruz http://blog.scottlowe.org/2007/02/21/storage-time-bomb/comment-page-1/#comment-29862 J.Cruz Fri, 02 Mar 2007 14:43:35 +0000 http://blog.scottlowe.org/?p=417#comment-29862 The only thing I can think of is that they are specifically referring to Raw Device Mappings in VMWare. But then, you're bypassing the virtualization layer, right? Which means you are conciously choosing to break out of that layer and grant raw access to the LUN? I suppose if a host in your HA Cluster was compromised, which would necessarily have to see the same LUNs as the RDM VM, is it possible that a VM could be brought online with access to those LUNs? The only thing I can think of is that they are specifically referring to Raw Device Mappings in VMWare. But then, you’re bypassing the virtualization layer, right? Which means you are conciously choosing to break out of that layer and grant raw access to the LUN?

I suppose if a host in your HA Cluster was compromised, which would necessarily have to see the same LUNs as the RDM VM, is it possible that a VM could be brought online with access to those LUNs?

]]>