Following a question on the cissp mailing list on the risks of virtual server deployment spanning security zones, here is the answer I posted:

Vmware has released a best practice guide about DMZ virtualization. I don't know if your project is with vmware, but I suppose that most of this document is still valuable even with other virtualization tool.

http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

Basically, I think that any option can offer the same level of security but involves different skills and amount of work to mitigate the potential vulnerabilties.

In the second and third option of the document, guest systems from different DMZs are hosted in the same host server. These options can create vulnerabilities mainly because of the increasing complexity that can lead to misconfiguration. There is also issues to enforce separation of duties since the VMWare administrator can modify virtual network settings.

The points above can be mitigated but involve more requirements than the solution with physical separation of trust zones.

With DMZ virtualization, it is even more important that the below is done and this will be very depending on the level of maturity of Information Security and IT in general in each organisation:

  • The relevant IT people should be well trained on the virtualization tool the company uses
  • The VMware systems have to be hardened following best practices, Management zones should be connected on a separate network that is only available to the relevant people.
  • Vmvare patches have to be applied in a timely manner (this can be an issue since all guest systems may need a reboot)
  • Regular configuration audit have to be done to ensure that no misconfiguration has been introduced
  • Stringent change management must be in place in the organisation and no change to the virtual infrastructure should be done outside the change process
Virtualization if far from a being a new toy. This is a great technology that can decrease costs and can offer great DR strategies. This is likely to be a sensitive subject in each organisation and the result of the risk analysis should be well detailed. I think the points above can be used in doing the risk analysis. For example in a company with undersized IT teams, with poor change management process, I wouldn't recommend the DMZ virtualization option (depending on the impact obviously).