VMware Cloud Community
thekid70
Contributor
Contributor

Creating a DMZ for a webserver

Hello,

Was wondering if i can get some help on a task that i need to configure.

I have two vmware esx 4.0 update 1 host servers with a vcenter server that's configured in a cluster with HA.

I need to bring a dying physical webserver thats currently on a DMZ directly configured to a switch port. Im planning to p2v the machine.

I already configured the new ports on the switch for the DMZ and I have one nic (that wasn't in use) on both host servers plugged into on the switch.

My questions are:

Is one nic going to work?

How do i go about doing this, want to ensure this is secure? Do I go ahead and create a new vswitch and add the single nic that i configured already and plugged into the switch port configured for DMZ?

If this is correct, i guess I will be doing the same setup on the other host vmware box.

If someone can help and shed a light that would be great.

Thanks,

Tags (4)
Reply
0 Kudos
9 Replies
AlbertWT
Virtuoso
Virtuoso

Hi The Kid,

I also have the similar thinking of you, here's what I'm using now.

both network separated by its own vSwitch.

Kind Regards,

AWT

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
thekid70
Contributor
Contributor

Thanks albert,

Reply
0 Kudos
AlbertWT
Virtuoso
Virtuoso

This is a normal setup, although I would recommend another 2 port nic to add so that you can add a pNic ot each vswitch for loadbalancing/failover.

I have not heard about any security risks, especially if your management interface is on a separate vlan/subnet. Since the vswitches are layer 2 devices there is nothing there to route them to the internal network. Just like having two physical switches, it twork is no more or less secure than a regular DMZ network in my opinion.

Read this ... You'll love it!

http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

Kind Regards,

AWT

      • Please mark the post as answer if you found it helpful ***

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Your configuration will work just fine. I would as others suggested add another pNIC or dual port pNIC for redundancy and load balancing but for 1 VM load balancing will not happen, so you really want redundancy.

You need to now guard against people or even yourself accidentally placing on the DMZ vSwitch any non-DMZ VM. There is not automated tool to prevent this. HyTrust and other tools can help prevent this but your vigilance must be increased now. Due to such vigilance requirements many people opt for something like HyTrust or to silo their DMZs on their own hypervisors. There are other reasons to do this but mostly that depends on your physical network requirements more than anything as well as your security policy.

Verify that your organizations security policy is not written to disallow this as well.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
AlbertWT
Virtuoso
Virtuoso

Hi Edward, thanks for the clarification. you're right mate I shall add another pNIC for redundancy ! Cheers.

Kind Regards,

AWT

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
thekid70
Contributor
Contributor

thanks for all your input

Reply
0 Kudos
mojoc
Contributor
Contributor

Hi Albert,

I have the almost exact DMZ setup in your attached picture here. Then I stuck at the physical networking behind this picture.

My vminc0 --> a physical switch --> Linksys Internet router --> Internet.

What should I connect with vmnic1 in the DMZ physically? I have two more ports available on this ESX host.

Thanks in advance.

Calvin

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

So you have the following:

vminc0 --> a physical switch --> Linksys Internet router --> Internet

Not what I would do, why? Because vmnic0 is often used by the Management Appliance in ESXi or the Service Console in ESX, therefore you rather not do this. THe full picture is....

Mgmt <-> vSwitch0 <-> pNIC (vmnic0) <-> pSwitch <-> Router <-> Outside

What you really want is:

Mgmt/Internal <-> vSwitch0 <-> pNIC (vmnic0,vmnic2) <-> pSwitchI

DMZ  <-> vSwitchD <-> vFW <-> vSwitch1 <-> pNIC (vmnic1) <-> pSwitchE <-> Router <-> Outside

Then I would bridge vSwitch0 and vSwitch2 with a vFW. You really want two physical switches one for DMZ and one for internal. If that is not possible then use VLANs (but I highly recommend a second switch unless you are using high end switches with all sorts of layer-2 protections)

If you want Internal to talk to the DMZ, then the virtual Firewall (vFW) could handle that for you as well, depending on what you use for that firewall. Always add a vFW to protect/segregate the DMZ. vSwitchD in this case is an internal vSwitch that does not have a pNIC connected to it, therefore it is considered private.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
mojoc
Contributor
Contributor

Thanks Ed,

Your explaination has just cleared up my confusions over DMZ.

Thanks

Calvin

Reply
0 Kudos