VMware Cloud Community
bbambrick
Enthusiast
Enthusiast
‎01-11-2010 05:09 AM

Security of Network spanning in vSphere

Hey,

Can someone point me towards some documentation about the security of network spanning for ESX hosts? Here's an outline of the situation I'm in .

  • We've got 12 servers in an ESX cluster.

  • 4 servers run VMs which need internet access. These have a physical connection to a network with this access (Network A) as well as a different physical connection and a Service Console IP address on another subnet containing the vCenter server (Network B). VMs get access only to the network with internet access.

  • 8 servers run VMs which cannot have access to the internet. They have a physical connection to a network with no internet access (Network C), but with a firewall rule which allows the vSphere client to connect to the vCenter server. They also have a physical connection & Service Console IP on the subnet which houses the vCenter server.

  • To access vCenter you need to use a Remote KVM client to connect to a physical server on Network C and then connect to the vCenter server using the vSphere client. Problem is that this is really really slow - we don't have admin access on the firewall and I think it's dropping lots of connections.

I'd like to put all of the servers spanning the same network segments. I.e. Each server would be physically cabled to Network A and C, and the vCenter server and ESX host IPs would be on Network A - this would eliminate problems with host updating and with speed of access to vCenter. I'd completely remove access to Network B as it's not controlled by us. The VMs themselves would then be set to access either Network A or Network C as they individually need.

To get this kind of change approved though I need to show that it's okay to have an ESX host sitting on two networks and that a VM cannot access a physical network unless it's put in a port group which has access to the network. Any ideas on where I can get a whitepaper or technical spec which confirms this?

Cheers!

Tags (2)
0 Kudos
4 Replies
FranckRookie
Leadership
Leadership
‎01-11-2010 05:49 AM

Hi,

You can have a look at:

- "DMZ Virtualization with VMware Infrastructure" at http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

- "DMZ Virtualization Using VMware vSphere 4 and the Cisco Nexus 1000V Virtual Switch" at http://www.vmware.com/files/pdf/dmz-vsphere-nexus-wp.pdf

Hope it helps.

Regards

Franck

bbambrick
Enthusiast
Enthusiast
‎01-11-2010 06:37 AM

Thanks Franck - I'd seen that before and it's the closest I've gotten to something which states "yes, this is okay to do".

The most useful sections I found were:

  • "Enforcement policies on a virtual network are the same as those on a physical network. Gartner research supports this view by suggesting that security risks primarily emanate from administrative misconfiguration and not from the virtual infrastructure. (See the References section for information on this Gartner report.)"

  • "The biggest risk to a DMZ in a virtual environment is misconfiguration, not the technology."

I might see if I can get my hands on that Gartner report and see what it says. Cheers for the reply Smiley Happy

0 Kudos
J1mbo
Virtuoso
Virtuoso
‎01-11-2010 06:56 AM

Yes it's okay to do, but the implications need to be well understood.

This book I found quite good on the subject.

bbambrick
Enthusiast
Enthusiast
‎01-11-2010 08:37 AM

Thanks, I'll order a copy, I have a feeling it'll come in handy Smiley Happy

0 Kudos