>> As for networking, the trick is not to configure IP (or any other
>> protocol) on the host's NICs exposed to the Internet. This way, it's
>> almost as if the NIC does not exist and, while you can sometime attack
>> what you can't see, you can't attack what is not there!
> Ah, that makes sense.
>
> I have read that there are claims that the VM layer can be hacked,
> which allows and attacker to actually change the VM settings.  Is this
> a real threat?  I mean, the VM firewall instance in theory is not as
> secure as would be a dedicated firewall, right?  On the other hand,
> the difference in security is probably negligible.
>

At least in what concerns VMware, there is one interface between the VM
and the host, and it's a couple of I/O ports that are used to let the
VMware Tools communicate with the host and vice-versa. As you can
imagine, it's one of the most audited pieces of code within VMware. But,
of course, an intrusion through that vector is still possible - albeit,
as you say, probably negligible.

Let me recall that, in order to be able to exploit that, an intruder
would have to "own" the VM first, and then eventually extend the attack
to other VMs through the virtualization layer. If the firewall is
adequately locked down, it won't be intruded, and any further intrusion
to other VMs doesn't occur.

Again, this refers to VMware; I don't know about Xen.

Paulo