"Grant Taylor" <gtaylor@newsgroup> wrote in message
> On 08/03/09 09:42, cptkirkh wrote:
>> I am in the process of spec'ing out a new Hyper-V server. Among the
>> servers I want to place on my new Hyper-V box is one of my web servers
>> that sits in my DMZ. If my DMZ uses it's own ip scheme and i still want
>> to be able to utilize the security of separating my webserver in the DMZ
>> from my internal LAN will i be able to do this with a hyper-V box? My
>> particular box i am buying from Dell will have multiple NICs and the
>> ability to have multiple Virtual NICs. Will this provide the same
>> security or will the VMs actually be separate? thanks for your advice.
> It is possible (at least in theory) for an exploit to escape the running
> VM up to the hypervisor level. At the hypervisor level it would be
> possible to access memory of other running VMs.
> I say /theory/ because I have not heard about any viable proof of
> concepts. (There may be some extreme case proof of concepts that work in
> a lab, but not the wild.)
> As such you are ultimately left with the decision of weighing the benefits
> of the virtualized environment over the potential security risks.
> As a general rule, I recommend that people not cross / mix security
> contexts on one system. As such, use separate VM host systems in each
> different security context. To this end, would it be possible to
> re-purpose the old system from your secure production environment to be
> used for the VMs in your DMZ?
> Grant. . . .
> P.S. The same concept exists to a lesser degree with SANs and VLANs.
As Grant pointed out there is a theoretical possibility that running a
setup like that could compromise the separation between the DMZ and the
From a networking point of view, there is no difference between a
physical and a virtual network. If one NIC in your host is connected to the
DMZ, all machines on the virtual network linked to that NIC are also in the