I was thinking of setting up my esx host dedicated to DMZ servers with the following configurations:
physical nic0 - Service Console internal network access
physical nic1- VM Network dmz network access
Could someone please let me know if there are some security risks I'm over looking? At no time do I plan on having an internal vm network on the same host as one with a dmz network.. so there is not chance a lazy admin could add both networks to 1 VM.
thanks
IPMAN
no there are no security concerns you are overlooking - this would be the way I would set up my ESX server - the only way a 'lazy admin' could connect the vm to the secure network is by first adding a virtual machine port group to the same virtual switch as the service console port and then adding a seond NIC to a VM and connecting it to the new VM Port Group on the service console virtual switch -
Hello,
Everything looks fine. The SC, vMotion, and Storage Networks should be connected to your internal network, a private network, and an isolated network, while your VMs live within the DMZ.
A VM can not be placed directly on the SC portgroup. However, one thing I would suggest is to use physical pNIC separation. 1 for SC and 1 for DMZ on two distinctly different vSwitches. I would also add more pNIC to increase redundancy on each Network (at least 2 more pNIC). VLANs can be used and are currently safe, but if you plan for them to not be safe you are a step a head of the hackers.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Thanks for the advice guys!