Just got started with VMware. We had a consultant come in and setup a SAN with 3 ESX servers. I P2V'd some old 2k/2k3 machines and created some new ones as well. My question is about a web server in our DMZ.
Is it best practice to keep it separate or is it ok to put create a new DMZ network and host it there? I assume it would just be adding another virtual switch and physically adding nics? Is it better just to create a new physical server? I was also reading about creating Sep. Luns as well in another post. Is it even worth all the trouble?
The answer depends mainly on your organization. My DMZ is separated by the virtual switch but still use all the same LUNS that the other VM's are using. I personally do not think the separate LUNS for DMZ are necessary but then again that is just my opinion
Also, if you find yourself running short on physical NICs in the ESX hosts, you could look into running the DMZ via a VLAN on an existing virtual switch. Each of our ESX hosts has only a single vSwitch with about 10 port groups. Our physical NICs trunk those VLANs to our network core which then separates the networks physically. In this fashion, we are able to have complete network redundancy for hosts on 8 different subnets. Also, as mentioned in the previous post, the LUNs should not need to be separate.
Hope this helps,
Mike
I would definitely create a separate vSwitch exclusively for the DMZ and attach the web server to it. Do not allow a VM to be connected to the DMZ vSwitch and also to a vSwitch on your internal network. As far as LUN's go there are no issues with sharing the LUNS between DMZ and internal servers.
Check out the below links, they cover this topic very well...
DMZ & VLANs - http://www.vmware.com/community/thread.jspa?messageID=347532
ESX & DMZ - http://www.vmware.com/community/thread.jspa?messageID=233918
ESX & DMZ - http://www.vmware.com/community/thread.jspa?messageID=344471
ESX VMs in the DMZ - http://www.vmware.com/community/thread.jspa?forumID=21&threadID=19402&messageID=222399#222399
Security Design of the Vmware Infrastructure 3 Architecture - http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf
Vmware Infrastructure 3 Security Hardening - http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf
VI3 Securing and Monitoring - http://download3.vmware.com/vmworld/2006/labs2006/vmworld.06.lab05-SECURITY-MANUAL-APPENDIX.pdf
Vmware ESX Server Providing LUN Security - http://www.vmware.com/pdf/esx_lun_security.pdf
Fyi if you find this post helpful, please award points using the Helpful/Correct buttons.
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
Thanks, Eric
Visit my website: http://vmware-land.com
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
eisiebert,
Out of interest, on the VLAN topic.
I ran the presented info by our resident Cisco specialist and he is confident that having a VLAN on a vSwitch (when configured correctly) poses no immediate risk to security. He commented that most of the threats presented in the forum posts have either been corrected through advancements in switch technology or through appropriate network/VLAN configuration.
The VLANs we have created have no accessible interface and as such no traffic can be routed from those VLANs to any other VLAN on the network. So, from the standpoint of the physical switch gear, the traffic is isolated. Is there a specific concern at the vSwitch level that we have overlooked that could pose a security risk?
Here is a good post with similar inquiries:
http://www.vmware.com/community/thread.jspa?threadID=29466&start=0&tstart=0[/u]
Thanks,
Mike
Message was edited by:
m_d_sella
Hey Mike,
I did alot of research on this when we considered extending our ESX servers into our DMZ. I was initially pretty leary about doing this and after reading through the forum posts here found out that others were doing it. Based off everything I read the general consensus I got was that it was OK to create a separate vswitch on it's own NIC for this and to never use tagging (802.1Q) on DMZ vSwitches. The concerns were that an attacker could potentially jump VLAN's inside a vSwitch and gain access to your inside network. Here's a few more links about it. I'm not a networking expert so I'm just going by what I've read and other users opinions. I'd rather err on the side of security though, especially today when you can get fined millions and lose business because of a security breach. NIC's are cheap so I 'd rather buy a few more and isolate my DMZ traffic on a separate vSwitch and NIC rather then take a risk.
http://www.sans.org/resources/idfaq/vlan.php
http://advosys.ca/viewpoints/2006/04/virtualization-insecurity/
http://searchservervirtualization.techtarget.com/tip/0,289483,sid94_gci1244407,00.html
Message was edited by:
esiebert7625
esiebert,
Thank you for the reply and the links.
I definitely agree with you. If you have room in your ESX host for additional NICs, that further eliminates any risk of using the vSwitches with VLAN tagging and is the most secure option. In our case, we are using BladeServers and lack the ability to add NICs. I just wanted to be sure that there weren't any known flaws with the vSwitch code that our Cisco guy had overlooked for our scenario.
This topic has received a great deal of attention on the forums and every bit of information I get helps to better assess the risks.
Thanks Again,
Mike
Yeah with blades that's hard. You're probably OK with using them, most of the reading I did seemed to talk about attacks that could be theoritically possible, not any that currently exist. I just like going hardcore when it comes to security for some peace of mind (it's also good job security). With all these new rules ands regulations (SOX & PCI) we're constantly being audited and vulnerability scanned.
Just to add to this. We trunk our dmz's on virtual switches and then prohibit the dmz vlans into the non-dmz vlans using switchport allowed vlan rules on the cisco switch.
We use the same rules to only allow non dmz vlans to traverse other switches.
Our luns are not seperated either for dmz guests
I totally understand the consensus on physically seperating the DMZ within the Virtual Infrastructure, but this is not always possible particularly with Blade Servers and I notice that this discussion is quite old (2007) so have the advancements in VMware and networking technology changed the philosophy on PHYSICAL seperation at all.
I am looking at incuding some DMZ attached VM's within a clients current BladeCenter Infrastructure that would require substantial financial investiment in additional Ethernet controllers and Switch modules if I was to physically seperate the DMZ network connections by creating an additional vSwitch and dedicated NIC's and I was intending to use vlan tagging to create the DMZ network, but I would like to make the client aware of any security implications.
The client is currently operating 3 x vSphere ESX 4.1 U1 hosts on IBM BladeCenter H Chassis with 3 x HX5 Blades and 4 x BNT Layer 2/3 Switch Modules
Regards,
Mike Scheerer
Infinity IT Solutions
Senior Technical Consultant