I am implementing the vCloud Suite of products in a multi-tenant environment, and currently do not yet have a DMZ. In looking to define what the DMZ network will look like, should I assume I need one that is defined by physical separation of networks such as the following:
( Outside network <-> physical firewall <-> DMZ -<-> Physical Firewall <-> Internal Network)
Is having a DMZ in a traditional design as above, with two physical firewalls on both sides, always recommended?
Can I accomplish the same thing with vCNS and when is it appropriate to define my DMZ in software vs hardware?
Hello,
Well the following will work using only virtual firewalls:
Outside <-> Outside Physical Switch <-> Outside pNIC <-> Outside VDS <-> FW <-> DMZ VDS <-> FW <-> Inside VDS
DMZ Physical Switch <-> DMZ pNIC <------------------------> DMZ VDS
Then tie in a physical DMZ via the DMZ VDS and specific ports on the outside of your chassis to an upstream DMZ Physical switch.
Or the following if you want to blend physical and virtual firewalls
Outside <-> Physical FW <-> DMZ Phsysical Switch <-> DMZ pNIC <-> DMZ pvNIC <-> DMZ VDS <-> FW <-> Inside VDS
Whether to use a DMZ or not depends on what you are really trying to do.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
Hello,
Well the following will work using only virtual firewalls:
Outside <-> Outside Physical Switch <-> Outside pNIC <-> Outside VDS <-> FW <-> DMZ VDS <-> FW <-> Inside VDS
DMZ Physical Switch <-> DMZ pNIC <------------------------> DMZ VDS
Then tie in a physical DMZ via the DMZ VDS and specific ports on the outside of your chassis to an upstream DMZ Physical switch.
Or the following if you want to blend physical and virtual firewalls
Outside <-> Physical FW <-> DMZ Phsysical Switch <-> DMZ pNIC <-> DMZ pvNIC <-> DMZ VDS <-> FW <-> Inside VDS
Whether to use a DMZ or not depends on what you are really trying to do.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
ok great thanks