I would concur with David using scenario 2 is much secure and it should work perfectly. I've done that with ESX 3.5U4 environment because you don't want to give people "the key to the kingdom" is like inviting people to sneak at your house for stealing. Here's a new guide from VMware DMZ you can read for details

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

VMware vExpert 2009

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

Thanks for all of your help.

I've have been reading various articles regarding ESX in the DMZ. One of the pdf's that read from VMware suggested that we place the service console nic on our internal network and place the Vkernel nic and VM nic within the DMZ. Any thought on that?

Hello,

I've have been reading various articles regarding ESX in the DMZ. One of the pdf's that read from VMware suggested that we place the service console nic on our internal network and place the Vkernel nic and VM nic within the DMZ. Any thought on that?

Bad IDEA.

SC/VMotion/vmkernel ports need to be protected OUTSIDE your DMZ. DMZ should ONLY be for the pNICS attached to the vSwitch used exclusively for DMZ based VMs.

vmkernel should never be in the DMZ.

OUtside<->FW<->pNIC-DMZ<->vSwitch<->DMZ VMs

Inside<->FW<->Management Network<->pNIC-SC<->vSwitch<->SC

On the management network would exist VC, and other ESX management tools.
vmkernel for VMOTION is 100% private
vmkernel for iSCSI/NFS links ONLY to iSCSI/NFS network

There is quite a bit written on this available.

vmkernel within the DMZ leaves the vmkernel open to attack for possible memory or disk information, the type hackers love to get.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

As mentioned, you wouldn't want anything to expose to DMZ, only present VLAN ID for DMZ networks and connected to physical NIC and DMZ port group on vSwitch. The rest should be protected with VLAN and firewalls since VMotion, NFS, iSCSI is not encrypted only use clear text which allow someone on the same network can capture the memory state and retrieve valuable credentials/info. Always place SC in a management network with secure VLAN/firewall and same to Out of Band Networks such as HP iLo, DRAC, IBM Directors.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

VMware vExpert 2009

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

Hello,

Protected by VLAN? Please. There is no such thing. You use VLANs only if you 'TRUST' VLANs, they are not in themselves a protection mechanism. THe protection mechanism would be ACLs and Port security to ensure that only the proper machines could connect, mac flooding is controlled, etc.

In general, DMZ's are implemented using segregated physical switches for JUST VM traffic. Your Vitualization Networks (iSCSI, NFS, Management, VMotion, etc.) should not be seen by anything within the DMZ.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]