通过

ISA on a Virtual Server host does not protect the guest machines

  • 项目

If you're running Virtual Server (or Virtual PC), and have some guest machines connected to the Internet, you probably don't want to leave them unprotected. You may think that installing ISA on the host machine would protect the guest machines. But it doesn't! You can verify it easily - run some traffic between the guest machine and the Internet (say, browse to some public web site), and see that the traffic passes even though there's no rule that would allow it. Also, the traffic does not appear in the ISA log at all.

 

The reason for this is that Virtual Server uses an NDIS driver to route traffic to its guest machines, according to their MAC addresses. Since NDIS drivers are located below ISA's driver (fweng.sys), the traffic is routed before ISA even sees it:

 

ISA-on-a-VS-host-not-protecting

 

 

One way you can accomplish this idea is to have another NIC (call it Internal), connect the guest machines only to that NIC, and have ISA route/NAT traffic between that NIC and the "real" (External) NIC:

 

ISA-on-a-VS-host-protecting

 

Actually, in this case the guest machines are no different than other physical machines connected to the Internal NIC. You get all the hassles of having another network - IP address assignment, NAT, etc. - but at least your guest machines are protected, and you've only used one physical machine! For extra virtualization credit, you can use a loopback adapter for the Internal NIC.

 

-Jonathan Barner

ISA Server Sustained Engineering Team

Comments

  • Anonymous
    January 01, 2003
    Viva, Tendo em conta que o a virtualização é algo que veio para ficar, convém estar a par das implicações

  • Anonymous
    January 01, 2003
    PingBack from http://blog.windowsvirtualization.com/?p=258

  • Anonymous
    January 01, 2003
    I think this blog entry misses the most important point, and that there this is not a secure configuration because the partitioning of the VMs from each other, and the host OS, not is secure. Firewalls should never be put on VMs except for testing and "honeypot" deployments.

  • Anonymous
    January 01, 2003
    I think this blog entry misses the most important point, and that there this is not a secure configuration because the partitioning of the VMs from each other, and the host OS, not is secure. Firewalls should never be put on VMs except for testing and "honeypot" deployments.

  • Anonymous
    June 25, 2007
    Hi @all, sounds logical Thanks for clarifying this. greetings Marc Grote

  • Anonymous
    June 27, 2007
    I am having problems, in which i find strange my self. First of all I have a ISA 2006 VM running on Virtual Server 2005 R2, using only 1 NIC by sharing it with ISA VM and VS physical OS. But when I turn on the ISA VM, in a little time like 5 mintures I can't access my physical via network at all. Is the system still working, yes of cause! because I can still access another VM of mine in which sharing the same NIC also. Do you have any comment on how to solve this issue.

  • Anonymous
    August 16, 2007
    That was indeed very informative! Thanks!

  • Anonymous
    August 16, 2007
    Look at all that spam... I think you guys need to set up a Captcha out here..

  • Anonymous
    January 22, 2011
    Yes,Virtual <a href="www.racklodge.com/">Server host</a> does not protect the guest machines.Because they are not in secure.Anyway, Thanks for sharing.

  • Anonymous
    January 22, 2011
    Yes,Virtualserver host does not protect the guest machines.Because they are not in secure.Anyway, Thanks for sharing. Source: http://www.racklodge.com