Hello,

What aleph0 describes will work, but has a security weakness. That is the SC/vMotion bond. Remember that vMotion is a clear text protocol of the memory image of the VM. This memory image contains all the credentials the machine is using.... So you really want to keep this under lock and key.

The security of the vNetwork depends on quite a few things.... Promiscuous mode adapters for future IDS/Auditing are trapped to Production/DMZ Networks only and do not live anywhere near the vMotion/SC vSwitches, and that there is no way for a production VM to get on the DMZ network. THe fact that there is no way to keep a VM off any given vSwitch/portgroup by user accident or intentional action implies you should plan for this to happen. If there was security that limited the network choices by VM, I would not say there is much of a security concern. But so far there is not.

Option 1:

1 pNIC for SC (failover device is the pNIC for vMotion) (vSwitch0)

1 pNIC for vMotion (failover device is the pNIC for SC) (vSwitch1)

2 pNICs for Production (vSwitch2)

2 pNICs for DMZ (vSwitch3)

Only on failover will the vMotion/SC need to be bonded in some way.

This has the follow security issues:

• SC/vMotion can be on shared bond... This is only a possible problem on failover so has a limited footprint and is a risk I would take.

• It is possible to place a DMZ machine on the production network and even worse a production machine within the DMZ. Since this is a drop down menu anyone who has the privileges can do this.... THis is a risk I would not take. It is just too easy to do.

The other option, that is actually more secure, is to invest in 2 more Blades and do the following:

First set of blades:

2 pNIC for SC

2 pNIC for vMotion

2 pNIC for Production

Second set of blades:

2 pNIC for SC

2 pNIC for vMotion

2 pNIC for DMZ

The second option is more secure for the following reasons:

• SC/vMotion do not overlap

• A simple mistake will not suddenly place a Production VM within the DMZ (this is just a drop down menu within the VIC, I make mistakes on drop down menus all the time so to alleviate this issue, do not make it possible)

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

hello all,

if you can afford 2 set of blades the two ESX cluster configuration is the best.

however option 1 is to be considered in order to have an easier manageable environment.

Do exist mezzanine cards with more than 2 eth ports each? :smileydevil:

just a question about storage: how many FC card do you plan to use for each host?

\aleph0

____________________________

###############

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Hi,

Security for our organization is very important because it's a Bank. The setup will be started with two Blades initially, both of them is 460c G1, each with 16 GB Ram Daul Quad Processors. If i'm going with Option two, segregation of Networks, will the Production Network can communicate with the DMZ Network Hosts easily? Why I'm asking that is beacuase, the Networking Setup will be peruly Windows, MS ISA Firewall in a Back-to-Back Firewall Setup.

This means, one Front-end firewall the External Network will be connected to the Internet Router, the Internal Network is to be connected with the DMZ Network. In the Production, there will be Two ISA Firewalls, acting as NLB with Three NICs. One is for External "This means the DMZ Network ((The Internal Network of the Front-end Firewall)). One Network is for the Production, and the Production Servers and Clients will be using this network as thier Gateway out to the Internet or any other Network if there must be a routing blah blah....

What about if I want to bring one Host Down for H/A Maintenance or something, what will be happened for the DMZ VMs, will they be moved to the other host? The other Host doesn't aware of the DMZ vSwitch of the DMZ Configuration?

If I want to bring down the Host having the Production VMs, what will be happened to those VMS? They don't know the Network configuration on the other Blade that having the DMZ VMs?

Will that be possible to do with two Exisiting Hosts?

Best Regards,

Message was edited by: habibalby

Hello aleph,

I agree with you the ESX with Cluster is the best and actually, that;s what i'm intend to do.

As per the HP Partner Representive, says that the Mezzanien card exisit with 4 NICs.

Since it wil be on Cluster, will be using 2 HBA's to acheive H/A and Availibility.

Please have alook on the Infrastruecture Design and the Networking Design, Is it possible with VM Virtulization?

Thanks,

Hello,

Pretty much anything you can do in the real world, you can do in the virtual world. To have the ISA servers setup as you dictate you will most likely need a physical router between the two networks. You will then need to have some internal vSwitches to set this up. Howerver, given that you have unauthenticated and authenticated DMZ's you may not want them on the same hosts as everyone else..... If this was me I would setup the following:

Physical Firewall <-> Anonymous DMZ VMs Cluster<-> Physical Backend Firewalls <-> AUthenticated DMZ VMs Cluster
                                                                                <-> Corporate LAN VMs CLuster <-> Physical Firewall <-> SC/vMotion Networks

I would set up 3 separate Clusters of ESX servers. This way VMs from one can not suddently appear on the other. Yes the hardware investment is greater but you get the better security. If you moved the Firewalls into ESX you would need more pNIC in order to even use vMotion. Also, make sure that vMotion and the SC is behind its own firewall within the corporate LAN.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Hi,

Things becomes more complicated for me :). I think i would to the Option 1 which you have given earlier Option 1: in the Testing and Development Network. And once the setup is completed success, then in the Production network we will order 3 or 4 Blades 680 to make it more secure. Do u agree with me?

Oprion1:

1 pNIC for SC (failover device is the pNIC for vMotion) (vSwitch0)

1 pNIC for vMotion (failover device is the pNIC for SC) (vSwitch1)

2 pNICs for Production (vSwitch2)

2 pNICs for DMZ (vSwitch3)

Thanks,

Message was edited by: habibalby

HI aleph0,

Thanks for your reply. The picture which have posted is a little not clear to me. Can you please be more specific? What are in my mind the following:

1. 2pNICs (For VC - Teamed together. Create a VLAN01 in the CISCO Swicth and connect them together. Then make a vSwitch and assign the vSwitch to those pNICs)

2. 2pNICs(For Prodcution - Teamed together. Create a VLAN02 in the CISCO Swicth and connect them together. Then make a vSwitch and assign the vSwitch to those pNICs)

3. 2pNICs (For DMZ - Teamed together. Create a VLAN03 in the CISCO Swicth and connect them together. Then make a vSwitch and assign the vSwitch to those pNICs)

4. 2pNIC( Teamed together. Create a VLAN04 in the CISCO Swicth and connect them together. Then make a vSwitch and assign the vSwitch to those pNICs

am I goingin the right Track? or something else mush be considered.

In 6 pNICs, how the VLANs will be acheived?

Thanks,

Hello,

sorry for my late answer... here in Italy is holydays

What I mean with VLAN is not exactly what you say:

first you must start with bonding eth ports creating vSwitches

then, when adding networking you have to specify VLAN ID that must be equals to vlan definitions in your 801.11Q physical switchs.

In this way you can have more than 3 subnet addressed by your 3 vSwitchs: teorically you could have thousands of different separate subnets on each vSwitch

based on your estimated throughtputs you can continue adding VLANs on your preferred vSwitch

HTH

\aleph0

____________________________

###############

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Hello,

Things becomes more complicated for me :). I think i would to the Option 1 which you have given earlier Option 1: in the Testing and Development Network. And once the setup is completed success, then in the Production network we will order 3 or 4 Blades 680 to make it more secure. Do u agree with me?

For a strictly dev/test environment your layout would be fine, however, if this is to model your production environment it the best meter stick has always been 1cm to the cm. In other words your pre-production tests should be done with exactly what you need in production, otherwise you may not uncover all the problems. You will always want dual nodes for each aspect of your production network so that you are never mixing, DMZ, authenticated DMZ, and corporate LAN environments into the mix. In this way you can still use the smaller blades just 2 per environment (multiple data centers within VC each with their own cluster, etc.) I do not think you need to go to the 680s....

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Hi Texiwill,

I've read your very interesting thread and I'm confused about these lines:

-

1 pNIC for SC (failover device is the pNIC for vMotion) (vSwitch0)

1 pNIC for vMotion (failover device is the pNIC for SC) (vSwitch1)

-

How can you set a failover on a pnic used in a different vswitch?

Vmotion can only be enabled on a single vmkernel port on a host at a time, so unless there was the intention to manually reconfigure things in case of a NIC failure, I think this was a typo and it should have been a single vswitch with both a service console (SC) port and a vmkernel port for vmotion created. With 2 NICs in the vSwitch, you can then edit both the SC and vmkernel ports and specify which NIC should be active and which should be the standby. In his post, you would set one as active for the SC port (with the other as standby) and then the opposite for the vmkernel port.

Hello,

Yes, this is will be for the dev enviroment and the same will be replicated 1cm to cm to the prod. The DMZ, i can go with the Back-to-Back Firewall Scenario or Cisco and ISA or both ISA Servers. IN this case, i can go with Authenticated or Anynomus DMZ.

Q: Why i don't need to go for the BL 680s series in the Production?

BR,

S.Hussain

Hello,

For production since you can have 6 pNICs in each blade (2 for SC, 2 for vMotion, 2 for VM network) and your blades are split between DMZ, AUthenticated DMZ,and the corporate LAN. There is no need for more NIC in the box as you are doing the division of the networks at the box level not the NIC level.

2 Blades for DMZ (DMZ Network)

2 Blades for Production (Production Network)

2 Blades for Authenticated DMZ (Auth DMZ Network)

If you wanted different networks on the same set of blades (not as secure) or needed more pNIC for the networks in question then bigger blades would be warranted.

Re: vswitches for SC/vMotion... Yes it was a typo. THank you for correcting Dave.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Hello,

Then i would stuck to what you have guided me earlier.

2 Blades each with 6 NICs.

1 pNIC ( for VMs in In production)

1 pNIC ( for VMs in DMZ )

2 pNICs ( for S.C)

2 pNICs (for Vmotion)

In production all will be fully reduandant.

1 pNIC ( for VMs in In production)|

1 pNIC ( for VMs in DMZ )

In production all will be fully reduandant--> if the two pNIC are bonded and Vlanned

\aleph0

____________________________

###############

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Hello,

I believe you want this configuration.....

1 pNIC for SC (vMotion backup)

1 pNIC for vMotion (SC backup)

2 pNIC for DMZ

2 pNIC for Production

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Habibalby want it,... not me

\cheers

aleph

I think what Habibalby meant was in Prod he'll have an extra 2 pNIC's... but I could be wrong of course :smileycool:

Hello,

Yes, what i need is this setup in the Develpment Network. In the Production, it will be the same, but it's Fully Redundant.

BR,

Habibalby