Solved: ESX Service Console, iLO and DMZ

tzjkb · ‎06-04-2008

For an HP ESX 3.5 residing in DMZ, do you share service console and iLO networks as a management network?

What happens if service console gets compromised?

VC to SC link passes thru a firewall right? What about the ports that should be opened? Does the connection switch to random ports after initial connection on 902?

Do you all think ESXi better suited for DMZ?

How about enabling VMotion in DMZ? Any security issues for using SAN which also hosts internal network (non-dmz) systems?

Thanks

Texiwill · ‎06-05-2008

Hello,

This is a very common question.... The SC and ILO should be on a management network. Access to the SC is access to everything.... You may not be able to get network traffic from the SC, but you can certainly gain access to the VMDKs depending on the user compromised and the location of backups. But minimally there is a huge amount of information leakage.

Here is my basic setup for full security, redundancy, and performance:

vSwitch0 -> portgroup0 -> SC (2 pNICS)

vSwitch1 -> portgroup0 -> vMotion (2 pNICS)

vSwitch2 -> portgroup0 -> DMZ Network (2 pNICs)

vSwitch3 -> portgroup0 -> Storage Network (not necessary if using FC-HBA) (2 pNICS)

Yes you can use VLANs, but I rather avoid them and stick to EST based VLANs.

Internet <-> Firewall (virtual or otherwise) <-> DMZ Network

SC and ILO <-> Admin Network <-> Firewall <-> Internal
vMotion <-> vMotion Network (local to pSwitch only either via VLAN or separate pSwitch)
Storage <-> Storage Network <-> Firewall <-> Internal

Note that everything is separate from each other, SC and ILO on Admin Network, vMotion on its own network, Storage on its own. DMZ is the only one that goes out basically, everything is otherwise internal.... Also note if using iSCSI, then a SC port must participate in that network.

Only VMs allowed within the DMZ except a virtual firewall are ones with a single vNIC. This way they can not accidentally have more than one connection.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

gary1012 · ‎06-04-2008

We keep our networks logically separted for iLO, SC, and VMotion. It's partly for security, partly to keep thing straight in our overly-confused minds. As for ports, you'll require more than 902. The attached will probably help.

As for the DMZ, see Texiwill's blog at: http://www.cio.com/article/382113/Virtual_Servers_in_the_DMZ_Pose_Security_Risks/1.

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.

Rob_Bohmann1 · ‎06-04-2008

I am going by memory here, but I think we opened ports 902, 903, 27010, 27011 between VC and each host for the firewalls (VC was placed in a mgmt network with a separate firewall between it and everything it managed dmz/ non-dmz) and also a port for SSH (default 22). These are for your service console connection which should not be exposed externally. ILO's had their own separate network for dmz's (set up previous to vmware deployment, so we followed existing policy), we treated those similarly to the service console connections above, just different port numbers. All of the above were not wide open internally, but only accessible from specific networks where admins were located as well as accesible from VPN for remote support capabiliites when not in the office. Lots of options there, depending on your policies and security requirements, you can install the client on a server or two (or a citrix farm) and only allow connections from that if security is a big concern or for remote access when not in the office.

If you have a cluster, your vmotion network ideally would not be accessible either internally or externally, simply a private network contained within your switch and only accessible to the hosts that exist in the cluster. If you need to save nics or switch ports, you could use 2 connections for both SC and VMotion and use vlans to separate..

The previous poster posted a helpful chart of what each port is used for. The communication between VC and the ESX hosts remains on 902, 903 is needed if you want to use the remote console in the VI Client.

If the service console is compromised, then everything is compromised. Again, the previous poster added a link to Texiwill's article, his book goes into much more depth.

Texiwill · ‎06-05-2008

Hello,

This is a very common question.... The SC and ILO should be on a management network. Access to the SC is access to everything.... You may not be able to get network traffic from the SC, but you can certainly gain access to the VMDKs depending on the user compromised and the location of backups. But minimally there is a huge amount of information leakage.

Here is my basic setup for full security, redundancy, and performance:

vSwitch0 -> portgroup0 -> SC (2 pNICS)

vSwitch1 -> portgroup0 -> vMotion (2 pNICS)

vSwitch2 -> portgroup0 -> DMZ Network (2 pNICs)

vSwitch3 -> portgroup0 -> Storage Network (not necessary if using FC-HBA) (2 pNICS)

Yes you can use VLANs, but I rather avoid them and stick to EST based VLANs.

Internet <-> Firewall (virtual or otherwise) <-> DMZ Network

SC and ILO <-> Admin Network <-> Firewall <-> Internal
vMotion <-> vMotion Network (local to pSwitch only either via VLAN or separate pSwitch)
Storage <-> Storage Network <-> Firewall <-> Internal

Note that everything is separate from each other, SC and ILO on Admin Network, vMotion on its own network, Storage on its own. DMZ is the only one that goes out basically, everything is otherwise internal.... Also note if using iSCSI, then a SC port must participate in that network.

Only VMs allowed within the DMZ except a virtual firewall are ones with a single vNIC. This way they can not accidentally have more than one connection.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill