Welcome to TechNet Blogs Sign in | Join | Help

ISA on a Virtual Server host does not protect the guest machines

If you're running Virtual Server (or Virtual PC), and have some guest machines connected to the Internet, you probably don't want to leave them unprotected. You may think that installing ISA on the host machine would protect the guest machines. But it doesn't! You can verify it easily - run some traffic between the guest machine and the Internet (say, browse to some public web site), and see that the traffic passes even though there's no rule that would allow it. Also, the traffic does not appear in the ISA log at all.

 

The reason for this is that Virtual Server uses an NDIS driver to route traffic to its guest machines, according to their MAC addresses. Since NDIS drivers are located below ISA's driver (fweng.sys), the traffic is routed before ISA even sees it:

 

ISA-on-a-VS-host-not-protecting

  

One way you can accomplish this idea is to have another NIC (call it Internal), connect the guest machines only to that NIC, and have ISA route/NAT traffic between that NIC and the "real" (External) NIC:

 

ISA-on-a-VS-host-protecting

 

Actually, in this case the guest machines are no different than other physical machines connected to the Internal NIC. You get all the hassles of having another network - IP address assignment, NAT, etc. - but at least your guest machines are protected, and you've only used one physical machine! For extra virtualization credit, you can use a loopback adapter for the Internal NIC.

 

-Jonathan Barner

ISA Server Sustained Engineering Team

Published Sunday, June 24, 2007 8:20 PM by isablog

Comments

# WindowsVirtualization.com » Blog Archive » ISA Server on the host does not protect the Virtual Machines!

PingBack from http://blog.windowsvirtualization.com/?p=258

Sunday, June 24, 2007 7:36 PM by WindowsVirtualization.com » Blog Archive » ISA Server on the host does not protect the Virtual Machines!

# re: ISA on a Virtual Server host does not protect the guest machines

Hi @all,

sounds logical Thanks for clarifying this.

greetings Marc Grote

Monday, June 25, 2007 12:43 AM by Marc Grote

# ISA VM block network access to the physical server

I am having problems, in which i find strange my self. First of all I have a ISA 2006 VM running on Virtual Server 2005 R2, using only 1 NIC by sharing it with ISA VM and VS physical OS.

But when I turn on the ISA VM, in a little time like 5 mintures I can't access my physical via network at all.

Is the system still working, yes of cause! because I can still access another VM of mine in which sharing the same NIC also.

Do you have any comment on how to solve this issue.

Wednesday, June 27, 2007 11:05 AM by James NW

# re: ISA on a Virtual Server host does not protect the guest machines

That was indeed very informative! Thanks!

Thursday, August 16, 2007 1:13 PM by Shijaz

# re: ISA on a Virtual Server host does not protect the guest machines

Look at all that spam... I think you guys need to set up a Captcha out here..

Thursday, August 16, 2007 1:18 PM by Shijaz

# re: ISA on a Virtual Server host does not protect the guest machines

I think this blog entry misses the most important point, and that there this is not a secure configuration because the partitioning of the VMs from each other, and the host OS, not is secure. Firewalls should never be put on VMs except for testing and "honeypot" deployments.

Sunday, November 11, 2007 12:00 PM by tshinder

# ISA Server e Hyper-V: Considerações de segurança

Viva, Tendo em conta que o a virtualização é algo que veio para ficar, convém estar a par das implicações

Friday, September 12, 2008 8:56 AM by Blog sobre assuntos IT Pro
Anonymous comments are disabled
 
Page view tracker