Setting up a DMZ

jkimmel · ‎06-27-2007

Just got started with VMware. We had a consultant come in and setup a SAN with 3 ESX servers. I P2V'd some old 2k/2k3 machines and created some new ones as well. My question is about a web server in our DMZ.

Is it best practice to keep it separate or is it ok to put create a new DMZ network and host it there? I assume it would just be adding another virtual switch and physically adding nics? Is it better just to create a new physical server? I was also reading about creating Sep. Luns as well in another post. Is it even worth all the trouble?

sbeaver · ‎06-27-2007

The answer depends mainly on your organization. My DMZ is separated by the virtual switch but still use all the same LUNS that the other VM's are using. I personally do not think the separate LUNS for DMZ are necessary but then again that is just my opinion

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**

m_d_sella · ‎06-27-2007

Also, if you find yourself running short on physical NICs in the ESX hosts, you could look into running the DMZ via a VLAN on an existing virtual switch. Each of our ESX hosts has only a single vSwitch with about 10 port groups. Our physical NICs trunk those VLANs to our network core which then separates the networks physically. In this fashion, we are able to have complete network redundancy for hosts on 8 different subnets. Also, as mentioned in the previous post, the LUNs should not need to be separate.

Hope this helps,

Mike

esiebert7625 · ‎06-27-2007

I would definitely create a separate vSwitch exclusively for the DMZ and attach the web server to it. Do not allow a VM to be connected to the DMZ vSwitch and also to a vSwitch on your internal network. As far as LUN's go there are no issues with sharing the LUNS between DMZ and internal servers.

Check out the below links, they cover this topic very well...

DMZ & VLANs - http://www.vmware.com/community/thread.jspa?messageID=347532

ESX & DMZ - http://www.vmware.com/community/thread.jspa?messageID=233918

ESX & DMZ - http://www.vmware.com/community/thread.jspa?messageID=344471

ESX VM’s in the DMZ - http://www.vmware.com/community/thread.jspa?forumID=21&threadID=19402&messageID=222399#222399

Security Design of the Vmware Infrastructure 3 Architecture - http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf

Vmware Infrastructure 3 Security Hardening - http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf

VI3 Securing and Monitoring - http://download3.vmware.com/vmworld/2006/labs2006/vmworld.06.lab05-SECURITY-MANUAL-APPENDIX.pdf

Vmware ESX Server – Providing LUN Security - http://www.vmware.com/pdf/esx_lun_security.pdf

Fyi…if you find this post helpful, please award points using the Helpful/Correct buttons.

-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-

Thanks, Eric

Visit my website: http://vmware-land.com

-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-

m_d_sella · ‎06-27-2007

eisiebert,

Out of interest, on the VLAN topic.

I ran the presented info by our resident Cisco specialist and he is confident that having a VLAN on a vSwitch (when configured correctly) poses no immediate risk to security. He commented that most of the threats presented in the forum posts have either been corrected through advancements in switch technology or through appropriate network/VLAN configuration.

The VLANs we have created have no accessible interface and as such no traffic can be routed from those VLANs to any other VLAN on the network. So, from the standpoint of the physical switch gear, the traffic is isolated. Is there a specific concern at the vSwitch level that we have overlooked that could pose a security risk?

Here is a good post with similar inquiries:

http://www.vmware.com/community/thread.jspa?threadID=29466&start=0&tstart=0[/u]

Thanks,

Mike

Message was edited by:

m_d_sella

esiebert7625 · ‎06-27-2007

Hey Mike,

I did alot of research on this when we considered extending our ESX servers into our DMZ. I was initially pretty leary about doing this and after reading through the forum posts here found out that others were doing it. Based off everything I read the general consensus I got was that it was OK to create a separate vswitch on it's own NIC for this and to never use tagging (802.1Q) on DMZ vSwitches. The concerns were that an attacker could potentially jump VLAN's inside a vSwitch and gain access to your inside network. Here's a few more links about it. I'm not a networking expert so I'm just going by what I've read and other users opinions. I'd rather err on the side of security though, especially today when you can get fined millions and lose business because of a security breach. NIC's are cheap so I 'd rather buy a few more and isolate my DMZ traffic on a separate vSwitch and NIC rather then take a risk.

http://www.sans.org/resources/idfaq/vlan.php

http://advosys.ca/viewpoints/2006/04/virtualization-insecurity/

http://searchservervirtualization.techtarget.com/tip/0,289483,sid94_gci1244407,00.html

Message was edited by:

esiebert7625

m_d_sella · ‎06-27-2007

esiebert,

Thank you for the reply and the links.

I definitely agree with you. If you have room in your ESX host for additional NICs, that further eliminates any risk of using the vSwitches with VLAN tagging and is the most secure option. In our case, we are using BladeServers and lack the ability to add NICs. I just wanted to be sure that there weren't any known flaws with the vSwitch code that our Cisco guy had overlooked for our scenario.

This topic has received a great deal of attention on the forums and every bit of information I get helps to better assess the risks.

Thanks Again,

Mike

esiebert7625 · ‎06-27-2007

Yeah with blades that's hard. You're probably OK with using them, most of the reading I did seemed to talk about attacks that could be theoritically possible, not any that currently exist. I just like going hardcore when it comes to security for some peace of mind (it's also good job security). With all these new rules ands regulations (SOX & PCI) we're constantly being audited and vulnerability scanned.

bggb29 · ‎06-28-2007

Just to add to this. We trunk our dmz's on virtual switches and then prohibit the dmz vlans into the non-dmz vlans using switchport allowed vlan rules on the cisco switch.

We use the same rules to only allow non dmz vlans to traverse other switches.

Our luns are not seperated either for dmz guests

MikeScheerer · ‎05-11-2012

I totally understand the consensus on physically seperating the DMZ within the Virtual Infrastructure, but this is not always possible particularly with Blade Servers and I notice that this discussion is quite old (2007) so have the advancements in VMware and networking technology changed the philosophy on PHYSICAL seperation at all.

I am looking at incuding some DMZ attached VM's within a clients current BladeCenter Infrastructure that would require substantial financial investiment in additional Ethernet controllers and Switch modules if I was to physically seperate the DMZ network connections by creating an additional vSwitch and dedicated NIC's and I was intending to use vlan tagging to create the DMZ network, but I would like to make the client aware of any security implications.

The client is currently operating 3 x vSphere ESX 4.1 U1 hosts on IBM BladeCenter H Chassis with 3 x HX5 Blades and 4 x BNT Layer 2/3 Switch Modules

Regards,

Mike Scheerer

Infinity IT Solutions

Senior Technical Consultant

All

Setting up a DMZ