VMware Cloud Community
tomchrist
Contributor
Contributor
‎10-19-2010 06:19 AM

Adding my Virtual Website to a DMZ

Hello,

I am in need of some help/direction.

I currently have my website as a virtual machine on my ESXi. I have installed a dual NIC.

I have to add the website to the DMZ to become PCI-DSS compliant.

My question is how do I do this? Am I simply to run one cable to the DMZ on my router, then run the other cable to a firewall router and then from it to the destination Server?

This is where I am confused, do I also need to pass through the virtual switch.

Any help would be greatly appreciated.

Tom.

0 Kudos
3 Replies
amvmware
Expert
Expert
‎10-19-2010 07:41 AM

I don't think you will be PCI compliant with that configuration. With only 2 NIC you would have your management and data traffic on the same NIC's.

I would put another 2 NIC's in the server, create a separate vSwitch and use those NIC's for dedicated DMZ traffic. Or you can split the 2 exisitng NIC's -have one for each vswitch, but then you have no resilience or redundancy if the NIC fails.

0 Kudos
Texiwill
Leadership
Leadership
‎10-21-2010 02:28 PM

Hello,

Until the new guidance is released from PCI Council your config is not PCI compliant just by virtue of virtualizing.... However in either case the network for your DMZ should be 100% separate from your other networks.... It is all about trust zones. ESX can have 6 or more trust zones. So how you divide them up means quite a bit... I suggest you visit http://www.virtualizationpractice.com/blog/?page_id=4931 as a starting point on virtualization security. It contains quite a few links on VMware networking, etc. Once you understand the networking you can understand why just 2 pNICs may be a bad combination... It really depends on how things work within your physical environment today in many ways.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
khughes
Virtuoso
Virtuoso
‎10-21-2010 02:46 PM

Texi is the security guru so whatever he says I would listen to. I'll throw my two cents in and share how we run some websites off our ESX hosts. If you only have 2 pNIC's in your ESX host I would recommend buying atleast another NIC card, or dual port NIC card that's on the HCL.

The way we have our DMZ setup is we have a dual port pNIC card handling all of our DMZ traffic, from there those pNICs are cabled directly to our DMZ pSwitch then to our firewall. At least in my mind, and Ed can correct me if I'm wrong, the DMZ is completely physically separated from our mgmt/vMotion/LAN traffic by going out a completely separate pNIC card (besides having a dedicated DMZ ESX host).

-- Kyle

"RParker wrote: I guess I was wrong, everything CAN be virtualized "

-- Kyle "RParker wrote: I guess I was wrong, everything CAN be virtualized "
0 Kudos