ISA on a Virtual Server host does not protect the guest machines

ISA on a Virtual Server host does not protect the guest machines

  • Comments 10
  • Likes

If you're running Virtual Server (or Virtual PC), and have some guest machines connected to the Internet, you probably don't want to leave them unprotected. You may think that installing ISA on the host machine would protect the guest machines. But it doesn't! You can verify it easily - run some traffic between the guest machine and the Internet (say, browse to some public web site), and see that the traffic passes even though there's no rule that would allow it. Also, the traffic does not appear in the ISA log at all.

 

The reason for this is that Virtual Server uses an NDIS driver to route traffic to its guest machines, according to their MAC addresses. Since NDIS drivers are located below ISA's driver (fweng.sys), the traffic is routed before ISA even sees it:

 

ISA-on-a-VS-host-not-protecting

  

One way you can accomplish this idea is to have another NIC (call it Internal), connect the guest machines only to that NIC, and have ISA route/NAT traffic between that NIC and the "real" (External) NIC:

 

ISA-on-a-VS-host-protecting

 

Actually, in this case the guest machines are no different than other physical machines connected to the Internal NIC. You get all the hassles of having another network - IP address assignment, NAT, etc. - but at least your guest machines are protected, and you've only used one physical machine! For extra virtualization credit, you can use a loopback adapter for the Internal NIC.

 

-Jonathan Barner

ISA Server Sustained Engineering Team

Comments
  • PingBack from http://blog.windowsvirtualization.com/?p=258

  • Hi @all,

    sounds logical Thanks for clarifying this.

    greetings Marc Grote

  • I am having problems, in which i find strange my self. First of all I have a ISA 2006 VM running on Virtual Server 2005 R2, using only 1 NIC by sharing it with ISA VM and VS physical OS.

    But when I turn on the ISA VM, in a little time like 5 mintures I can't access my physical via network at all.

    Is the system still working, yes of cause! because I can still access another VM of mine in which sharing the same NIC also.

    Do you have any comment on how to solve this issue.

  • That was indeed very informative! Thanks!

  • Look at all that spam... I think you guys need to set up a Captcha out here..

  • I think this blog entry misses the most important point, and that there this is not a secure configuration because the partitioning of the VMs from each other, and the host OS, not is secure. Firewalls should never be put on VMs except for testing and "honeypot" deployments.

  • Viva, Tendo em conta que o a virtualização é algo que veio para ficar, convém estar a par das implicações

  • I think this blog entry misses the most important point, and that there this is not a secure configuration because the partitioning of the VMs from each other, and the host OS, not is secure. Firewalls should never be put on VMs except for testing and "honeypot" deployments.

  • Yes,Virtual <a href="www.racklodge.com/">Server host</a> does not protect the guest machines.Because they are not in secure.Anyway, Thanks for sharing.

  • Yes,Virtualserver host does not protect the guest machines.Because they are not in secure.Anyway, Thanks for sharing.

    Source: http://www.racklodge.com

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment