Comments on: VMware Addressing Virtual Security Concerns http://blog.scottlowe.org/2007/08/18/vmware-addressing-virtual-security-concerns/ The weblog of an IT pro specializing in virtualization, storage, and servers Mon, 01 Dec 2008 19:54:53 +0000 http://wordpress.org/?v=2.6 By: slowe http://blog.scottlowe.org/2007/08/18/vmware-addressing-virtual-security-concerns/#comment-34244 slowe Tue, 20 Nov 2007 22:50:17 +0000 http://blog.scottlowe.org/2007/08/18/vmware-addressing-virtual-security-concerns/#comment-34244 Paul, Send me an e-mail...perhaps we can work together to take a closer look at Astaro and see how well it works. Thanks! Paul,

Send me an e-mail…perhaps we can work together to take a closer look at Astaro and see how well it works. Thanks!

]]> By: Paul http://blog.scottlowe.org/2007/08/18/vmware-addressing-virtual-security-concerns/#comment-34239 Paul Tue, 20 Nov 2007 20:48:26 +0000 http://blog.scottlowe.org/2007/08/18/vmware-addressing-virtual-security-concerns/#comment-34239 "There is one area, however, where I do agree with some of the complaints, and that is visibility into the virtualized networking environment. Without that, there is no way to detect (and/or mitigate) guest-to-guest attacks on the same host. I believe that VMware’s rumored move to allow Cisco switches on ESX Server is one step to help mitigate this weakness. After all, if we’ve got native IOS running on a switch on ESX, that means (presumably) that we can mirror track to another virtual switch port for use by an IDS/IPS, most likely running in another VM." Again, Astaro Offers virtual appliances that are 802.1q capable and could be used to segment and secure the virtual network. With transparent bridging, inline snort, granular iptables, transparent proxies and IPSEC capabilities, all in a high performance hardened linux distro, all bases should be well covered. I've been chomping at the bit to setup a VM stack or two and segment with this virtual firewall to do some benchmarking. Now... if I could just get a hold of a ESX farm to benchmark my theory... Paul “There is one area, however, where I do agree with some of the complaints, and that is visibility into the virtualized networking environment. Without that, there is no way to detect (and/or mitigate) guest-to-guest attacks on the same host. I believe that VMware’s rumored move to allow Cisco switches on ESX Server is one step to help mitigate this weakness. After all, if we’ve got native IOS running on a switch on ESX, that means (presumably) that we can mirror track to another virtual switch port for use by an IDS/IPS, most likely running in another VM.”

Again, Astaro Offers virtual appliances that are 802.1q capable and could be used to segment and secure the virtual network. With transparent bridging, inline snort, granular iptables, transparent proxies and IPSEC capabilities, all in a high performance hardened linux distro, all bases should be well covered. I’ve been chomping at the bit to setup a VM stack or two and segment with this virtual firewall to do some benchmarking. Now… if I could just get a hold of a ESX farm to benchmark my theory…

Paul

]]>