The virtualization of the most exposed part of any infrastructure, the DMZ, is something inevitable. And sooner or later a vendor had to cover the topic.
VMware is the first, with a new 9-pages best practice paper.
There nothing bad in virtualizing the DMZ as long as we are fully aware of the risks.
One of the biggest security risk in virtualization is mixing together virtual machines at different risk levels. But this is one of the first and most frequent mistake that a company may do, because any virtualization professional approaches the workloads consolidation looking at the performance and at the maximum usage of the physical resources, not looking at security levels.
And this is done for several reasons: the company is not really doesn’t perceive yet a concrete risk in virtualizing its infrastructure so it just aims at maximum ROI, the virtualization professional may not know enough about security or simply he doesn’t care.
The VMware paper is a perfect example to clarify this point.
It presents three different approaches to virtualize a complex DMZ with three screened subnets: the first recommends a separate virtualization host for each segment and it’s clearly more expensive, while the other two suggest the consolidation of multiple segments in the same virtualization host.
These last two approaches should be avoided at all costs because they imply the inviolability of the hypervisor (at any level: from the virtual networking to the kernel) something that nor VMware neither any other virtualization vendor can grant.