Following a question on the cissp mailing list on the risks of virtual
server deployment spanning security zones, here is the answer I posted:
has released a best practice guide about DMZ virtualization. I don't know
if your project is with vmware, but I suppose that most of this document
is still valuable even with other virtualization tool.
Basically, I think that any option can offer the same level of security
but involves different skills and amount of work to mitigate the potential
In the second and third option of the document,
guest systems from different DMZs are hosted in the same host server.
These options can create vulnerabilities mainly because of the increasing
complexity that can lead to misconfiguration. There is also issues to
enforce separation of duties since the VMWare administrator can modify
virtual network settings.
The points above can be mitigated but involve more requirements than the
solution with physical separation of trust zones.
With DMZ virtualization, it is even more important that the below is done
and this will be very depending on the level of maturity of Information
Security and IT in general in each organisation:
- The relevant IT people should be well trained on the
virtualization tool the company uses
- The VMware systems have to be hardened following best
practices, Management zones should be connected on a separate network that
is only available to the relevant people.
- Vmvare patches have to be applied in a timely manner (this can be
an issue since all guest systems may need a reboot)
- Regular configuration audit have to be done to ensure that
no misconfiguration has been introduced
- Stringent change management must be in place in the organisation
and no change to the virtual infrastructure should be done outside
the change process
Virtualization if far from a being a new toy. This is a great technology
that can decrease costs and can offer great DR strategies. This is likely
to be a sensitive subject in each organisation and the result of the risk
analysis should be well detailed. I think the points above can be used in
doing the risk analysis. For example in a company with undersized IT
teams, with poor change management process, I wouldn't recommend the DMZ
virtualization option (depending on the impact obviously).