Most server virtualization vendors tell you that their products provide virtual layer 2 switches for connecting virtual machines (VMs) to each other and to the production network. If you make assumptions based on how a traditional layer 2 switch operates, you probably assume that the virtual switch isolates the unicast frames of each VM. Depending on the server virtualization platform, unicast isolation of VMs on the same virtual network is not always the case.It’s no secret that VMware’s Virtual Infrastructure platform and ESX server provide excellent network isolation and 802.1Q virtual LAN (VLAN) trunking support. So when virtual network security is a concern, ESX server is an easy choice. While I see ESX as a known commodity, I was curious to see how the other server virtualization platforms stacked up against ESX in terms of network isolation. To be fair, I decided to evaluate the three leading freely available server virtualization platforms:
- VMware Server
- Microsoft Virtual Server 2005 R2
- XenSource XenExpress
The results of my tests can be viewed in my article Virtual Switch Security: VMware, Virtual Server, and Xen Express.
#1 by Paul Misner - February 3rd, 2008 at 14:58
Chris, great article about a problem that isn’t being addressed in the industry. Right now, you need to consider VM’s running under the same hypervisor only as secure as servers running on the same local subnet, unless you do perform some of the changes you recommended.
I’d be curious if running a virtualized firewall could help isolate traffic between VM’s.
Nice touch with Broadcom Control Suite. I didn’t know that trick existed.
You are the man!