I find this discussion interesting from a slightly different angle than
the perspective of PCI or other standards compliance.

I tend to agree with Craig's view that there is inadequate segregation
between guests running on different VMs of the same host, whether they
be application servers or virtualized security appliances. There are
multiple demonstrated guest breakout techniques for nearly all
virtualization technologies.

Still, let me directly quote the supervisor of our Windows admin team:

>"Department of Homeland Security and NSA have
> certified the VMware virtual switch and OS as being
> equivalent to physical separation."

He's referring to ESX3 -- the platform on which his group hopes to run
multiple virtualized DMZ-based public Windows Server 2003 web servers,
with the host OS directly connected to a private internal network. This
is a strategy on which I requested comments from the list only a few
weeks ago.

Thoughts?

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Craig Wright
> Sent: Friday, May 09, 2008 4:51 PM
> To: Terry; firewalls (at) securityfocus (dot) com [email concealed]
> Subject: RE: virtual firewalls -- compliance
>
>
> PCI-DSS v1.1 states at 1.4
> "Prohibit direct public access between external networks and
> any system component that stores cardholder data"
>
> A virtual system is a direct access. You have trusted and
> untrusted on the same component. HIPAA is worse. You have a
> number of hosts at different levels shared. This is a law
> suit waiting to occur.
>
> Other standards are the same. All I have to say is this is a
> BAD idea. BAD!
>
> Regards,
> Craig Wright (GSE-Compliance)
>
>
> Craig Wright
> Manager, Risk Advisory Services
>
> Direct : +61 2 9286 5497
> Craig.Wright (at) bdo.com (dot) au [email concealed]
> +61 417 683 914
>
> BDO Kendalls (NSW-VIC) Pty. Ltd.
> Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney
> NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/
>
> The information in this email and any attachments is
> confidential. If you are not the named addressee you must not
> read, print, copy, distribute, or use in any way this
> transmission or any information it contains. If you have
> received this message in error, please notify the sender by
> return email, destroy all copies and delete it from your system.
>
> Any views expressed in this message are those of the
> individual sender and not necessarily endorsed by BDO
> Kendalls. You may not rely on this message as advice unless
> subsequently confirmed by fax or letter signed by a Partner
> or Director of BDO Kendalls. It is your responsibility to
> scan this communication and any files attached for computer
> viruses and other defects. BDO Kendalls does not accept
> liability for any loss or damage however caused which may
> result from this communication or any files attached. A full
> version of the BDO Kendalls disclaimer, and our Privacy
> statement, can be found on the BDO Kendalls website at
> http://www.bdo.com.au/ or by emailing mailto:administrator (at) bdo.com (dot) au. [email concealed]
>
> BDO Kendalls is a national association of separate
> partnerships and entities. Liability limited by a scheme
> approved under Professional Standards Legislation.
> -----Original Message-----
>
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Terry
> Sent: Friday, 9 May 2008 5:37 AM
> To: firewalls (at) securityfocus (dot) com [email concealed]
> Subject: virtual firewalls -- compliance
>
> Hello all,
>
> I am throwing around the idea of using linux firewalls in
> vmware for customer environments. The customers may or may
> not have HIPAA/PCI/sOX/etc requirements. This is in the
> planning stages. Any of you have experience heading down
> this route? PCIDSS doesn't explicitly state problems with
> virtual firewalls, it seems to focus on the logic of the rules.
>
> Thanks!
>
>

[ reply ]