I am in the process of spec'ing out a new Hyper-V server. Among the
servers I want to place on my new Hyper-V box is one of my web servers
that sits in my DMZ. If my DMZ uses it's own ip scheme and i still
want to be able to utilize the security of separating my webserver in
the DMZ from my internal LAN will i be able to do this with a hyper-V
box? My particular box i am buying from Dell will have multiple NICs
and the ability to have multiple Virtual NICs. Will this provide the
same security or will the VMs actually be separate? thanks for your
advice.

"Grant Taylor" <gtaylor@newsgroup> wrote in message
news:h57ji2$2lp7$1@newsgroup

> On 08/03/09 09:42, cptkirkh wrote:

>> I am in the process of spec'ing out a new Hyper-V server. Among the
>> servers I want to place on my new Hyper-V box is one of my web servers
>> that sits in my DMZ. If my DMZ uses it's own ip scheme and i still want
>> to be able to utilize the security of separating my webserver in the DMZ
>> from my internal LAN will i be able to do this with a hyper-V box? My
>> particular box i am buying from Dell will have multiple NICs and the
>> ability to have multiple Virtual NICs. Will this provide the same
>> security or will the VMs actually be separate? thanks for your advice.

>
> It is possible (at least in theory) for an exploit to escape the running
> VM up to the hypervisor level. At the hypervisor level it would be
> possible to access memory of other running VMs.
>
> I say /theory/ because I have not heard about any viable proof of
> concepts. (There may be some extreme case proof of concepts that work in
> a lab, but not the wild.)
>
> As such you are ultimately left with the decision of weighing the benefits
> of the virtualized environment over the potential security risks.
>
> As a general rule, I recommend that people not cross / mix security
> contexts on one system. As such, use separate VM host systems in each
> different security context. To this end, would it be possible to
> re-purpose the old system from your secure production environment to be
> used for the VMs in your DMZ?
>
>
>
> Grant. . . .
>
> P.S. The same concept exists to a lesser degree with SANs and VLANs.

As Grant pointed out there is a theoretical possibility that running a
setup like that could compromise the separation between the DMZ and the
private LAN.

From a networking point of view, there is no difference between a
physical and a virtual network. If one NIC in your host is connected to the
DMZ, all machines on the virtual network linked to that NIC are also in the
DMZ.