Hello,
I see what you are after.... There are documents discussing the vSwitch and its security. There are documents on the vmkernel and its security. These are on the VMware Document site. But unless your Security Administrator is willing to read them. do the necessary excersize to consider security, and willing to learn about Virtualization, then they not doing their jobs as far as I am concerned. Yes harsh terms, but virtualization is MORE than just a black box, it contains networks, and isolation capabilities. This is the biggest up hill battle and the answer is to me, that if the Security 'folks' are not willing to learn then do not implement virtualization because they will just force a design of something incredibly INSECURE from their lack of knowledge. Their lack of knowledge will end up costing the company in terms of liability.
Put it in dollars and cents. How much liability do they want to have? FOr example, in the place the SC in the DMZ issue that pops up quite a lot. How much is the data on the ESX server worth to them when it gets out into the wild? Actually, if they forced me to put the SC within the DMZ, I would refuse to do the implementation and tell them that if they want it, they do it as that is as insecure as you can possibly get. And I would put it in writing. Explain it like this.... "Do you put the door to your Data Center off your lobby? Well that is just what they want to do with another Data Center."
As for your original question, I have a Firewall with a DMZ behind it running within ESX. I have my Orange (DMZ) Network which has its open ports for standard FTP, WEB, etc.... I also have my Green Network... The only link between the two is the firewall. THere is no way to bypass it unless I purposefully add more vNIC to a VM on one of the networks. But the only bridge is a VERY strong firewall. Just like normal. This basic networking 101 and has really nothing to do with virtualization.
So the rule for my system is, unless the VM is a Router, Gateway, Firewall there should only be one vNIC per VM. I would not even consider adding a backup vNIC as backing up the full VMDK is better.
But as I stated, I think you need to pull in someone who can explain it to them either from VMware or elsewhere, and that may fail if they still consider Virtualization to be just a box that has to be protected by traditional means. In this case, they have already shot themselves in the foot.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Problem is how do I convince them with the right arguments to virtualize a firewall.
