Remember, virtualization is not a security technology, therefore you should not fully trust the partitioning between VMs, that's why ISA Firewall shouldn't be run in VMs in a production envrioment. For testing its great, but never in production.
I would defineteley agree would Tom. A firewall is a physical machine used to provide physical segmentation. ISA would run on top of the OS protecting itself(therefore the host and the OS). Even in the dumb single adapter scenario(the Web Proxy Filter is an application filter and not an independent service) the host(OS) will be protected by ISA. Run on a VM, ISA will protect the guest and not the host, therefore the host will be vulnerable and ISA will not be able to do something. Consider that you actually are using VMware Server(the free software from VMware) and install ISA with two adapters, one bridged to the physical NIC and a VMnet one. On the local-only network you would put some servers you want to protect with ISA. If an attacker compromise the real host, enabling the VMnet adapter on the host(which should be disabled), will give him direct access to the servers "behind" ISA. Whatever you would do on the host to protect the VMs, the attacker can do to in the oposite way once he had compromised the host. Regards.
Layer 2 network security policies. Enforce security for virtual machines at the Ethernet layer. Disallow promiscuous mode sniffing of network traffic, MAC address changes, and forged source MAC transmits
Regarding Hyper-V vs ESX, allow me to drop the marketing bombs, 1 and 2. There is no question that VMware is ahead of Microsoft, but personal, I kinda like Hyper-V(yes, although I'm a VMware fan). I usually and normally use VMware ESX most of the time, but I also have a Hyper-V server with which I mess from time to time, sometimes more often...
As Tom said, in the end, is all about the level of security you will will expect to get and that you will obtain in practice, comparing a VM with a physical machine. A decision has to be made in respect with a proper acknowledgment of the facts, and as Steve noted, not omitting the hypervisor used.
That's very interesting regarding the Cisco managed switch. It would be very interesting to see how these are deployed, and if MS has plans for its own virtual managed switch offerings. Exicting stuff!
Cisco have signed into Microsoft's Server Virtualization Validation Program(maybe for their WAAS). I can't see what would stop Microsoft to also get a Cisco virtual switch for example for Hyper-V, if they would really want to. In my opinion, Microsoft got a good start with Hyper-V, a nice product, and the future looks promising.
No PM links on your profile, eh ? Too bombarded ? I had some links that might explain the question about the Hyper-V networks from your new article. I'll just send you an email, maybe, unusually, you will receive this one.
Support for the listed applications is provided for the applications running on Hyper-V and other validated virtualization platforms. More details can be found in Microsoft Support Knowledgebase article 957006: Microsoft server software and supported virtualization environments.
This article discusses the support policy for running Microsoft server software in the following supported virtualization environments: • Windows Server 2008 with Hyper-V • Microsoft Hyper-V Server 2008 • Server Virtualization Validation Program (SVVP)
MORE INFORMATION The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Third parties are responsible for testing their software together with Microsoft software. Microsoft software may not work as intended in third-party virtualized hardware environments.
VMware Lays Foundation for Broader Market Penetration by Giving Customers Access to Support for Software For All Major Microsoft Applications such as Microsoft Exchange Server, SQL Server, SharePoint Server and others across Virtualized Environments
PALO ALTO, Calif. – Sept 3, 2008 -- VMware, Inc. (NYSE: VMW), the global leader in virtualization solutions from the desktop to the datacenter, today announced it has qualified its industry-leading VMware ESX hypervisor under the Microsoft Server Virtualization Validation Program (SVVP). VMware ESX 3.5 update 2 (ESX 3.5u2) is the first hypervisor to be listed under the program, providing VMware customers who run Windows Server and Microsoft applications with access to cooperative support from Microsoft and VMware.
Microsoft’s Server Virtualization Validation Program enables VMware and other software providers to test and validate their virtualization software to run Windows Server 2008 and previous versions of Windows Server. Under this program, Microsoft offers cooperative technical support to customers running Windows Server on validated, non-Microsoft server virtualization software, such as VMware ESX 3.5 update 2. Customers with support policies in place, and running Windows Server-based applications on VMware ESX 3.5u2, can receive cooperative technical support from Microsoft. VMware also offers an extra layer of protection for customers, outside of Microsoft’s Server Virtualization Validation Program, who work directly with VMware for support. The additional protection is a part of the VMware Premier Support contract with Microsoft that enables VMware to escalate application issues rapidly and work directly with Microsoft engineers to expedite resolution.
Microsoft has updated its technical support policy for 31 server applications so that customers can receive technical support when deploying those applications on Windows Server 2008 Hyper-V, Microsoft Hyper-V Server or any other third-party validated virtualization platform. Now customers can get the same level of product support in a virtualized environment that they are accustomed to with nonvirtual environments.
So it appears(maybe someone can confirm with a real situation), that ISA is officially supported in ESX 3.5 U2 too.