VMware Cloud Community
TheVMinator
Expert
Expert
‎02-17-2015 07:00 AM
Jump to solution

Physical vs Virtual DMZ

I am implementing the vCloud Suite of products in a multi-tenant environment, and currently do not yet have a DMZ.   In looking to define what the DMZ network will look like, should I assume I need one that is defined by physical separation of networks such as the following:

( Outside network <-> physical firewall <-> DMZ -<-> Physical Firewall <-> Internal Network)

Is having a DMZ in a traditional design as above, with two physical firewalls on both sides, always recommended?

Can I accomplish the same thing with vCNS and when  is it appropriate to define my DMZ in software vs hardware?

Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎02-17-2015 07:14 AM
Jump to solution

Hello,

Well the following will work using only virtual firewalls:

Outside <-> Outside Physical Switch <-> Outside pNIC <-> Outside VDS <-> FW <-> DMZ VDS <-> FW <-> Inside VDS

                DMZ Physical Switch <->     DMZ pNIC <------------------------> DMZ VDS

Then tie in a physical DMZ via the DMZ VDS and specific ports on the outside of your chassis to an upstream DMZ Physical switch.

Or the following if you want to blend physical and virtual firewalls

Outside <-> Physical FW <-> DMZ Phsysical Switch <-> DMZ pNIC <-> DMZ pvNIC <-> DMZ VDS <-> FW <-> Inside VDS

Whether to use a DMZ or not depends on what you are really trying to do. 

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
2 Replies
Texiwill
Leadership
Leadership
‎02-17-2015 07:14 AM
Jump to solution

Hello,

Well the following will work using only virtual firewalls:

Outside <-> Outside Physical Switch <-> Outside pNIC <-> Outside VDS <-> FW <-> DMZ VDS <-> FW <-> Inside VDS

                DMZ Physical Switch <->     DMZ pNIC <------------------------> DMZ VDS

Then tie in a physical DMZ via the DMZ VDS and specific ports on the outside of your chassis to an upstream DMZ Physical switch.

Or the following if you want to blend physical and virtual firewalls

Outside <-> Physical FW <-> DMZ Phsysical Switch <-> DMZ pNIC <-> DMZ pvNIC <-> DMZ VDS <-> FW <-> Inside VDS

Whether to use a DMZ or not depends on what you are really trying to do. 

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
TheVMinator
Expert
Expert
‎02-23-2015 11:49 AM
Jump to solution

ok great thanks

Reply
0 Kudos