The configuration of a host operating system such as to provide isolation of a virtual machine (using VMWare) has been described in [Gom04]. This configuration provides the advantage that the host OS does not have an IP stack associated with the experimental network. The traffic from the experimental network is bridged directly into the virtual machines. Therefore, networked virtual machines see only other virtual machines; malicious code cannot attack a host OS directly through the network. Moreover, the virtual machines can be denied access to the control network interface.

The idea is to confine the virtual machines to the experimental network while allowing remote access and control through another network interface. Essentially, the VMWare settings are owned by root, so normal users can't change which network interface is used, and whether bridging or NAT is used, regardless of the settings of the guest machine. Therefore, VMWare is configured to use the two NICs on the experimental network in bridging mode. The host IP stack is disabled for those NICs. All other VMWare networks are disabled. Normal users can then run VMWare without changing the settings. This works for both VMWare workstation and GSX. Also, by making bridges created by root only available to User Mode Linux (UML) to the experimental network, the networking of UML images can be constrained.
[Gom04] Gonzalez Gomez D (2004) Installing a Virtual Honeywall using VMware.

Current ReAssure Setup
Guest InterfaceVMware NetworkHost Interface
eth0vmnet0eth1
eth1vmnet2eth2
eth2vmnet3eth3
eth3vmnet4eth4
eth4N/Aeth5
vmnet1 is used for host-only networking, and is not enabled by default. vmnet8 is used for NAT networking, and is enabled on exp01 and exp02 only for the purpose of updating images (experiments should not use vmnet1). Exp01 and 02 do not have access to the experimental network.