On Tue, Dec 30, 2008 at 10:55 AM, Ken Schaefer <[email protected]> wrote: > -----Original Message----- > From: S Conn. [mailto:[email protected]] > Subject: Re: Virtualization Questions - More Q's > >> I don't see a lot of difference here between virtual environment vs physical. > > Physical access can mean control - but you can control physical access. Not > to mention detecting network changes and preventing/detecting BIOS changes > (via passwords and ILO/DRAC etc) > > In a virtual environment, your virtualisation people control the BIOS, the > boot sequence, the virtual networks that are exposed, and even the hard disks > of the VMs themselves. And they can do that remotely. In a physical world, > your virtualisation people wouldn't have access to the cabinets that store > your physical domain controllers or other physical servers. Just the servers > that host the VM hosts. > > Additionally, there are occasionally vulnerabilities in virtualisation > software (a couple for VMWare and a more for other products). These can be > used to gain access to VMs by holding privileges on the host. > > Cheers > Ken >
VMware allows you to password protect the BIOS, just like a physical machine. As for network changes, a VMWare administrator can change only the virtual switches and virtual NICs, they can't affect the physical switches connecting the rest of the network. Basically you have to treat the virtual environment the same as a physical environment and treat the access program (such as VirtualCenter) just like physical access. Yes you can access it remotely, but IP KVMs, Remote PDUs, DRAC/ILO cards, etc provide the same remote access for physical servers. Except, with virtual, you can delegate certain tasks a lot better than just giving a bunch of folks the key to the door of your server room or maintaining a ton of remote access products. You do have a good point with the software vulnerabilities. However, I'd have to argue that you have those with just about any other solution. I'm sure a clever hacker can figure out a remote PDU or DRAC card. Following best practices, such as putting your service consoles on non-production management networks, setting up isolation, patching, etc can help with these problems. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
