VMware Communities: ESX VM's on the DMZ?

Up to Discussions in Strategy and Planning Archives

1 2 3 4 Previous Next

46 Replies Last post: Oct 16, 2005 2:06 AM by fk

ESX VM's on the DMZ?

Jul 14, 2005 6:55 AM

zhouse 361 posts since
Jul 11, 2005

Is this a big no-no? When it was brought up in a meeting yesterday everyone was up in arms about the idea. I am not talking about the service console being on the DMZ, only a vSwitch having a connection to the DMZ. Is there any best practice against this idea? Or any security reason why we wouldn't want to do this?

Re: ESX VM's on the DMZ? Jul 14, 2005 7:03 AM

kharbin 1,346 posts since
Nov 7, 2003

We do this for clients all the time. The NICs are isolated from the console and one another. People are usually against the idea because they are ignorant of the technology. The only way you will win is to educate them on the technology.

my 2 cents

Re: ESX VM's on the DMZ? Jul 14, 2005 7:05 AM

zigge 219 posts since
Dec 19, 2004

Treat the VM's as you would treat an physical server. As long as you don't put the SC on the DMZ, there is no reason to be paranoid. We use some VM's on our DMZ, and have done so for some time now, without problems.

Mats

Re: ESX VM's on the DMZ? Jul 14, 2005 7:05 AM

in response to: kharbin

gxl24 211 posts since
May 10, 2004

I agree with kharbin. We run our servers this way as well. Education is really the key.

George

Re: ESX VM's on the DMZ? Jul 14, 2005 7:06 AM

in response to: gxl24

sbeaver 7,667 posts since
Nov 1, 2004 Moderator

All of our DMZ servers are VM's no problem

Re: ESX VM's on the DMZ? Jul 14, 2005 7:15 AM

in response to: zigge

mtrouardriolle 101 posts since
Nov 11, 2004

I must admit that I am keen to get our host ESX servers with access to the DMZ for guest VM provision, however our security team has put stringent policies in place, whereby any host server cannot straddle any DMZ networks and any internal networks.

This will mean for my ESX host implementation, I will need each host ESX server (2 min per DMZ network for resilience) hosted solely on that network (including the service console).

It means more ESX servers (probably small 2-way ones for the DMZ) just to manage a handful of VMs.

Message was edited by: mtrouardriolle

Re: ESX VM's on the DMZ? Jul 22, 2005 10:12 AM

zhouse 361 posts since
Jul 11, 2005

Whoa! That was fast. I must say I am very impressed with these forums and the speed and intelligence of the responses.

I fear that the only way to educate our network team is to give them a VMware document that says it is ok to do. I understand that there is no "connection" between the service console network connection and the vSwitch connections but getting that point across to others, who as you all said don't understand the technology, is going to be challenging to say the least.

Re: ESX VM's on the DMZ? Jul 14, 2005 7:38 AM

in response to: mtrouardriolle

Ken.Cline 5,132 posts since
Jul 7, 2004 VMware

That's got to be one of the most m^&on%c security teams I've ever heard of! Forcing you to put the ESX service console into the DMZ is akin to putting the keys to the Ferrari under the fender!

Obviously, your security team needs to go back and retake "Security 101" to have a better understanding of what risk mitigation and management means.

If I were CIO in your organization, I would be jumping up and down and screaming at the top of my lungs - you would put the service console NIC behind the firewall or you would not use ESX in the DMZ. And since I would have the CFO beside me while doing my yelling, you would not be putting a whole bunch of pServers in the DMZ...

Re: ESX VM's on the DMZ? Jul 14, 2005 7:44 AM

in response to: Ken.Cline

mtrouardriolle 101 posts since
Nov 11, 2004

Ken,

I agree and I have yet to get any ESX hosts on the DMZ and hope to have changed this so that the service console is patched through to the appropriate (dedicated) SC VLAN.

I think they are concerned with having a host straddling a DMZ network and an internal one as being a security risk.

I hope to use some material gleaned from these forums to persuade a few minds by the time I am looking at the DMZs...

Re: ESX VM's on the DMZ? Jul 14, 2005 7:52 AM

in response to: mtrouardriolle

Ken.Cline 5,132 posts since
Jul 7, 2004 VMware

What is their position on the iLo (or Director, or other out of band management tool) for servers in the DMZ? Do they force you to connect it to a DMZ network or is it allowed to "straddle" the firewall?

There's very little difference between the two scenarios. The ESX service console is effectively an OOB management interface to the vmkernel.

The technology used to isolate the various vNICs/vSwitches from each other is the same as is implemented in the NetTop project. Do a guick Google for "nettop" and see if you find anything useful

Re: ESX VM's on the DMZ? Jul 14, 2005 7:59 AM

in response to: mtrouardriolle

kharbin 1,346 posts since
Nov 7, 2003

A good security team would do their proper due diligence and research the subject on their own so as to make an informed decision. These guys are usually sharp and few and far between.

A mediocre team will force you to do the research and provide it to them. These guys are usually just lazy.

A bad team will voice their "concerns" before having any knowlegde of what they are talking about. These guys are usualy just dumb and lazy. And, unfortunatetly, this is the hardest combination to overcome.

Try to eduacte but don't be disappointed if it falls on deaf ears.

Re: ESX VM's on the DMZ? Jul 14, 2005 8:30 AM

in response to: Ken.Cline

mtrouardriolle 101 posts since
Nov 11, 2004

Good point! I hadn't thought about it from that perspective and yes we do have (hp) iLo access to these servers (and the iLo ports don't exist on the DMZ network).

I've just spoken to one of our security guys off the back of this and there is light at the end of the tunnel!

There are a number of options that they are willing to investigate (they fully acknowledge they have to carry out their own due dilidgence on this), but it may be possible to get either the SC on our internal SC VLAN or on another network that although still behind the firewall, won't be the same network as the DMZ in question.

Thanks for that Ken!

Re: ESX VM's on the DMZ? Jul 14, 2005 8:40 AM

in response to: Ken.Cline

skearney 290 posts since
Jan 28, 2004

That's got to be one of the most m^&on%c security
teams I've ever heard of! Forcing you to put the ESX
service console into the DMZ is akin to putting the
keys to the Ferrari under the fender!

Obviously, your security team needs to go back and
retake "Security 101" to have a better understanding
of what risk mitigation and management means.

If I were CIO in your organization, I would be
jumping up and down and screaming at the top of my
lungs - you would put the service console NIC behind
the firewall or you would not use ESX in the DMZ. And
since I would have the CFO beside me while doing my
yelling, you would not be putting a whole bunch of
pServers in the DMZ...

Geez, Ken. Tell us how you really feel

Re: ESX VM's on the DMZ? Jul 14, 2005 9:16 AM

in response to: zhouse

qazwsx 110 posts since
Nov 1, 2004

Is there not some NSA whitepaper about not be able to compromise the SC or another vm from a compromised vm ?

Re: ESX VM's on the DMZ? Jul 14, 2005 9:18 AM

in response to: qazwsx

mtrouardriolle 101 posts since
Nov 11, 2004

Not a whitepaper, but interesting nonetheless.

http://www.itweek.co.uk/vnunet/news/2114561/security-agency-eyes-open-source

1 2 3 4 Previous Next

Actions

View as PDF

Up to Discussions in Strategy and Planning Archives