Announcement

Collapse
No announcement yet.

Secure DMZ VM deployment using separate vSwitch

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Secure DMZ VM deployment using separate vSwitch

    Hi All,

    I've setup my curent ESXi host with 2 pNIC for secure deployment of production VM like the attached screenshot:

    The reason is to make it easier to backup through the management network (Gigabit Ethernet connected to my LAN switch) while the actual VM is connected into DMZ-Network separate vSwitch and then the uplink is connected directly to the router for access to the world.

    I wonder if this is the typical secure deployment that everyone else is using ?
    Any kind of comments would be greatly appreciated.

    Thanks.
    Attached Files

  • #2
    Re: Secure DMZ VM deployment using separate vSwitch

    This is exactly what i will be setting up soon too!

    I have concerns about security though. I think vShields will help http://www.vmware.com/products/vshield-zones/

    Simon

    Comment


    • #3
      Re: Secure DMZ VM deployment using separate vSwitch

      Originally posted by simondrake79 View Post
      This is exactly what i will be setting up soon too!

      I have concerns about security though. I think vShields will help http://www.vmware.com/products/vshield-zones/

      Simon
      Great man, thanks for all of the reply.

      Comment


      • #4
        Re: Secure DMZ VM deployment using separate vSwitch

        This looks ok.
        A really big NO NO is to put the management port on the DMZ LAN - which you have not done - so that is good.
        You might want to look into getting more NIC's for the server - if you would like to provide some kind of redundancy for your server
        Maish
        ----------------------------------------------------------
        Technodrone|@maishsk|Author of VMware vSphere Design
        VMware vExpert 2013-2010,VCAP5-DCA/DCD,VCP
        MSCA 2000/2003, MCSE 2000/2003
        A proud husband and father of 3 girls
        ----------------------------------------------------------
        If you find the information useful please don't forget to give reputation points sigpic.

        Have a good one!!

        Comment


        • #5
          Re: Secure DMZ VM deployment using separate vSwitch

          Originally posted by Maish View Post
          This looks ok.
          A really big NO NO is to put the management port on the DMZ LAN - which you have not done - so that is good.
          You might want to look into getting more NIC's for the server - if you would like to provide some kind of redundancy for your server
          THanks Maish for your confirmation, now I'm confident that this standard setting is secure enough.

          Cheers,
          Albert

          Comment


          • #6
            Re: Secure DMZ VM deployment using separate vSwitch

            10/Half you might want to get faster NICs too
            VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
            boche.net - VMware Virtualization Evangelist
            My advice has no warranties. Follow at your own risk.

            Comment


            • #7
              Re: Secure DMZ VM deployment using separate vSwitch

              Originally posted by jasonboche View Post
              10/Half you might want to get faster NICs too
              haha...

              Thanks Jason, the slow down is because of this port is directly connected into the old CISCO router so no NIC can be replaced here.

              Comment


              • #8
                Re: Secure DMZ VM deployment using separate vSwitch

                Please don't think I'm hijacking your thread. It just seems you are looking at the same thing I am, but maybe further along?

                I've included 2 attachments, which are simplified diagrams for explanations sake. Assume that physical network redundancy is included.

                The first is your typical web server deployment in a back-to-back perimeter network with 3 segments - public external, private perimeter, and private internal.

                The second diagram has the normal elements for a VMware configuration to allow for vMotion and HA.

                Now. If I want the Web Server in the first diagram to be hosted within the ESX cluster, then the Client Network of the second diagram should be connected to the Perimeter switch, just as Albertwt has done.

                However, if I have VM's within that cluster that are to be connected to the Internal switch then I should have additional NIC's on the hosts and create a 2nd Client Network with a second vSwitch.

                Is my understanding correct?

                Further thinking... If my ESX cluster contains a Perimeter vSwitch and an Internal vSwitch, is it better to let the physical Back Firewall handle traffic between VM's on those vSwitches, or would I see better performance if I could include such a thing as a vFirewall?
                Attached Files
                Last edited by TokyoBrit; 10th May 2010, 11:43.

                Comment


                • #9
                  Re: Secure DMZ VM deployment using separate vSwitch

                  that's ok man, we learn together here

                  and to be honest I'm still learning here as well. It would be better if we've got anyone who has the knowledge to reply back as your answer.

                  Comment


                  • #10
                    Re: Secure DMZ VM deployment using separate vSwitch

                    Well, the Petri IT KB has certainly helped me in the past. One of the few general IT resources in English that I have access to. Always welcome the feedback.

                    So, the vShield Zones that simondrake79 linked seemed to fit the bill concerning my idea for a vFirewall, but there was a blog that had me thinking it's probably not worth it.

                    http://www.dailyhypervisor.com/2010/...rious-gotchas/

                    The amount of manual configuration to get it working properly with VMotion and DRS seems a lot compared to most other features of vSphere. Maybe it's just too new and the teams at VMware haven't simplified the interface yet?

                    In any case, if all my Perimeter/Internal VM communication is over a physical Back Firewall I don't think there is any impact to security by not using vShield, but I'd like further comments.

                    I've created a new physical/virtual combined diagram to help me get my head around this, and because diagrams are the best way to express ideas to my Japanese coworkers.
                    Attached Files

                    Comment

                    Working...
                    X