All,
We are in a position to make some changes to our VMware infrastructure, I’d like to change some of the opinion associated with running a mixed network topology on a single esx host. To put it simply, creating separate virtual switches to service both internal guests & guests located in a DMZ network segment.
I know it works and don’t want to get into too much detail of 'the how' (other than to specify that the physical nics will be used to provide uplinks to the different network segments, I am using VLANs but not to isolate internal & DMZ networks).
What I’d like to rationalise is the security… instead of splitting our ESX infrastructure into having internal Hosts and DMZ hosts, I’d like to have a unified ESX infrastructure but still maintain the presence of a DMZ for obvious reasons.
This will allow us to make better use of host resources and provide more flexibility, think of it like an ESX fabric layer for hosting both internal & DMZ vm’s on different network segments.
The big question is… is it secure?
- I know historically having the DMZ-hosts physically isolated has always been best practice, does vSphere 4 & 5 vswitch/hypervisor architecture provide enough security to mitigate this (again provided that seperate vmnics/vswitches are used to seperate the different networks).
- Does housing mixed network segments, DMZ & Internal LAN’s on the same hosts introduce more risk - in that they share a common hypervisor.
which leads me to my final point:
- Regardless of housing mixed network segments on the same host - > If a virtual machine becomes compromised does it have the ability to compromise the ESX hypervisor?
Lastly I also prupose setting up vlans for the virtual switches, Internal vSwitches will have several vlans :windows, linux, voip, UAT, DEV. The DMZ vSwitches will also have several VLANs.
Essentially I will be reliant on the vSwitches providing isolation between networks & VLANs for security within each vSwitch.
Here is a 'basic' diagram - see attachment
Thanks for the feedback
