VMware Cloud Community
dcolpitts
Enthusiast
Enthusiast
‎11-26-2008 02:57 PM

Creating a DMZ for a webserver

Ok - I'll admit right up front that vlans and tagging are not my strong points, so please don't consider me completely stupid for the way I have set this up.

I've just setup a brand new ESX cluster of 3 DL380G5s with 4 GigE ports in them with a HP EVA 4400 for the back end, and another DL380G5 running W2k3 with VC, VCB and Command View EVA. All this is plugged into a single Procurve 2848, which is in turn plugged into the trusted port of a Watchguard Firebox X500. We have dedicated one of the 4GigE ports in each ESX server to a Procurve 1800 GigE switch, leaving us 3 GigE ports for the production network. We did not create a separate Service Console switch (internal security is not an issue - the entire company comprises of 6 software developers with 2 physical PCs each).

The client also has a physical W2k3 Apache box which is plugged into a DMZ port of the Firebox X500. We would like to virtualize this machine, but I'm having a hard time grasping the best way to do this.

I know I could easily create another vswitch for the DMZ, assign it one of the 3 remaining GigE ports, plug those into another physical switch, and finally plug that into the DMZ port of the Firebox. But is there another way I can do this, without giving up one of my 3 remaining GigE ports? Prehaps using my vmotion nics and switch for the DMZ switch aswell?

Ideas, thoughts, theories?

dcc

0 Kudos
5 Replies
Rumple
Virtuoso
Virtuoso
‎11-26-2008 07:41 PM

If you do not have vlan's,etc all setup then I would just save yourself alot of work and effort and just go the vswitch/gig port but plug directly into the DMZ port without using a switch

Overall thats the most secure anyhow and how most of us balance the requirement of virtualizing dmz hosts and balancing network security

0 Kudos
LarsLiljeroth
Expert
Expert
‎11-27-2008 12:24 AM

Hi

I agree with rumple, if you have 3 spare nic go ahead. But the most redundant solution is done by using more than one nic for the DMZ.

So if you implement Vlan tagging you can make 1 vSwitch with 2 or more connected Nics. And on this vSwitch you can have all the portgroups

with different Vlans.

Some more info here--> http://communities.vmware.com/message/1104461#1104461



Best regards

Lars Liljeroth

-

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

// Lars Liljeroth -------------- *If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
0 Kudos
Texiwill
Leadership
Leadership
‎11-27-2008 07:32 AM

Hello,

Moved to Security and Compliance Forum.

You want PHYSICAL separation. VLANs are not a method for securing a network.

A DMZ requires physical separation so use one of the 'three' remaining pNICs JUST for a DMZ vSwitch which is connected to the DMZ firewall port on your firewall.

Give http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf a read.

For redundancy you may want:

2 pNIC for SC, VMotion, Production, not sure I would do this but if you trust everyone then it is not a huge issue.

2 pNIC for DMZ (DO NOT trust anything on this network)

Remember VLANs do not offer security, they allow an easier way to direct traffic on a single wire. This is data comingling and there are a number of attacks that work in the physical network space. In the virtual network space Layer 3 attacks also work.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
virtualsecurity
Contributor
Contributor
‎12-04-2008 01:27 AM

Hi, I would really suggest that you have a look at my companies integrated Virtual Security Appliance that will help you ease up all these things with provisioning multiple DMZs etc without the complexity of having external equipment handling this (data passes in and out etc) . I work for a company named Clavister, much more known today in OEM but that has launched one of the brightest Security solution for VMware (to handle all network security aspect inside the virtualised environnement) . Let me know if you want more info , I can post some extra sheets /links regarding our solutions if it might be of interest for you.

Kind regards

0 Kudos
khughes
Virtuoso
Virtuoso
‎12-04-2008 08:35 AM

I'll have to agree with Texiwill on this one, Physical separation is the way to go if you want any sort of security from your production network and dmz network. Even though bunching all of your SC/vMotion/Production network over the same NICs isnt' the best way to go security wise, it is much less of a threat than if you merged your production network and dmz network on the same NICs separated by VLANs. We run a simular setup to what Texiwill stated, except we have 4 nics for sc/vmotion/production and 2 nics for DMZ which plug directly into our dmz switch.

  • Kyle

-- Kyle "RParker wrote: I guess I was wrong, everything CAN be virtualized "
0 Kudos