On 9/21/07, Darren Spruell <[EMAIL PROTECTED]> wrote: > Here's an entirely realistic scenario at this point: > > - Administrator pays loads of money for VMware ESX; for better ROI, he > intends to replace several systems on the network with one big system > running a number of VMs. Maybe there is a full DMZ (say, 10 hosts) on > this box. One virtual machine is configured as a firewall, intended to > provide packet filtering and other network security services for the > other DMZ VMs. > - A vulnerability is discovered that allows an attacker who has > presence in one VM to execute arbitrary code on the host OS, or > transfer files between guest and host. (Both of these have happened > already. In fact, VMware Tools seems to be the perfect bit of flawed > gateway software to make this even easier.) Virtualized segmentation > is compromised at this point.
so what do you recommend? running all 10 services on the same non-virtualized machine?