Virtual host on LAN - VMs on DMZ, separate NICs - is this a bad idea?

I would say the main risk would be any exploit that allows someone to break out of the VM and attack the host. This has happened with VMWare before. So this would put your LAN at a higher risk from the DMZ than totally isolated machines, but I wouldn't say it's stupid either. Just depends on how secure it really has to be...

Also take into account this sounds a little more 'complicated', and therefore you might be more likely to overlook something. I bet more security is hacked because of Administrative mistakes than exploits.

One more thing to think about is if you work in place / industry that might have audits. Even if this method is no less secure really, there might be some BS audit rule about the DMZ and LAN residing on the same physical server.


We are running several servers like this now (although we are using VMWare). Basically the physical boxes host Guest machines running on various networks, each network has it's own physical NICs assigned to it. This is definitely an issue as Kyle mentioned. The approach we have taken is that in light of the potential impact of a virtual hack we have gone out of our way to secure the OS on the guest machines. All Guest OS's that are public accessible are screened by a 3rd party audit daily for security vulnerabilities so that we can hopefully keep someone from ever getting into the guest in the first place. Additionally we have placed extensive firewall rules in place to lock down the traffic entering the DMZ in the first place. Unfortunately this is probably as secure as you can get with that kind of configuration at the moment.