VMware Cloud Community
jfields
Enthusiast
Enthusiast
‎12-08-2008 07:32 AM
Jump to solution

Network design question/security

I would like to get opinions on the design of our ESX hosts' networking. We have a couple of main ESX boxes, each with 10 physical NICs. We have the following in our environment:

- iSCSI and NAS storage (so two NICS are for IP storage)

- 2 Separate networks for VMs -1 for the admin interfaces (not for users) and another for production servers (for users)

Current setup is:

2 NICs (SC and admin VMs)

2 NICs (IP storage)

2 NICS (vMotion)

3 NICS (Production server VMs)

I would like opinions on how secure of a setup this is. Is it an issue to have the SC sharing a vSwitch with the admin VMs? They are on the same physical VLANs. We do not control the switches, so it is not really an option to set up VLANs on the switches. Thanks.

Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎12-08-2008 01:27 PM
Jump to solution

Hello,

Thank you. I think I may not have explained myself clearly enough. I was not proposing putting the Admin VMs and connections on the same vSwitch as the Production Server VMs. Rather, I was concerned about the SC being on the same vSwitch as the Admin VMs, since I do not believe this to be a best practice. In our environment, we have a single subnet for all of the VMs, separated into 2 subnets on the physical switches. We do not use (or want to use) VLAN tagging on the vSwitches. There are firewalls between each of our VLANs. Thus, the admin VMs are separated from the Production VLAN by a firewall. My real question is how big of a security issue is it for the SC and the admin VMs to share a vSwitch, if they already share a physical network? We do not have the capacity to create a separate network or VLAN just for SC traffic. Our environment looks like this right now:

Since they already share the same physical network sharing the same vSwitch is not a huge or any concern. Consider the vSwitch another part of your administrative network. The best practice is to place all virtualization administration servers and workstations within the same firewalled network. You have done this.

- 2 pNICS- SC & admin VM network (192.168.15.0/24 VLAN 0)

Works for me. I often use Administrative VMs and place them on the vSwitch with the SC. They are after all using the same network and the vSwitch is just another part of the network switch fabric.

- 3 pNICS- Prod VM network (192.168.15.0/24 VLAN 1)

Not sure I would use 3 but I leave that to you.

- 2 pNICS- VMKernel & SC (10.10.1.0/8)

This crosses security zones. I would instead use your administrative firewall to bridge the CHAP protocol ports between the IP Storage Network and the Administrative Network. What you have is a common practice but not the most secure as you now have 2 attack points into the service console, one from the administrative network and one from the IP Storage network. This could include the possibility of VMs who use iSCSI initiators. Since all you need is to have the SC participate for CHAP (whether you are using it or not), you could easily use your existing Administrative firewall to do this. You may have to fix a few things within your network to make this happen but it would be how I would approach this possible security concern.

-2 pNICS- vMotion (172.16.32.0/16)

sounds good.

Would it be worthwhile to create a fifth vSwitch just to house the admin VMs, so that they do not share a vSwitch and pNICS with the SC?

Not really. Same Security Zone.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
5 Replies
Rockapot
Expert
Expert
‎12-08-2008 07:38 AM
Jump to solution

jfields,

This looks ok for the most part however it would be best if you can move the admin VM's to the Production vSwitch and then just tag the Production VLAN to a Port Group on the Production vSwitch.

Basically dont use the SC vSwitch for the admin servers.

Hope that makes sense.

Also, when you say Admin servers. Are you refering to the VC server or other Admin servers?

Carl

Reply
0 Kudos
jfields
Enthusiast
Enthusiast
‎12-08-2008 08:43 AM
Jump to solution

Carl,

Thank you for your reply. We don't really have the option to use VLAN tagging on the switches, as they are controlled by our parent organization, which doesn't really support that usage. When I refer to admin servers, it is actually a separate network segment that all of our administrative interfaces are on. This segment is not accessible to the users and contains the SCs, VC, server remote access cards, SAN admin ports, and other such connections. Basically, for security reasons, we have separated our server traffic into two network segments. Everything in the Production Servers segment serves some purpose for users and has a rule in the firewalls to allow user access. This is most of our servers. The other segment, Admin, contains the servers that users do not need direct access to and it is firewalled into its own network traffic.

Reply
0 Kudos
Texiwill
Leadership
Leadership
‎12-08-2008 12:54 PM
Jump to solution

Hello,

Moved to the Security and Compliance Forum.

Given:

SC and Admin VMs on the same physical VLAN/Network

Therefore:

Since your SC and Admin VMs share the same security zone this configuration is just fine.

Moving Admin VMs to the Production vSwitch would imply issues as you now have the possibility (slim however) of crossing security zones on the same vSwitch. Minimally you are comingling Admin data and Production data on the same vSwitch. So I would NOT do this. Remember VLANs do not grant security.

Your configuration of the vNetwork is just fine as you have well defined security zones split by vSwitch. However note that your iSCSI IP Storage will require the SC to participate in its network and that could be done through a firewall instead of having the SC bridge between the IP Storage security zone and the admin security zone.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
jfields
Enthusiast
Enthusiast
‎12-08-2008 01:14 PM
Jump to solution

Edward,

Thank you. I think I may not have explained myself clearly enough. I was not proposing putting the Admin VMs and connections on the same vSwitch as the Production Server VMs. Rather, I was concerned about the SC being on the same vSwitch as the Admin VMs, since I do not believe this to be a best practice. In our environment, we have a single subnet for all of the VMs, separated into 2 subnets on the physical switches. We do not use (or want to use) VLAN tagging on the vSwitches. There are firewalls between each of our VLANs. Thus, the admin VMs are separated from the Production VLAN by a firewall. My real question is how big of a security issue is it for the SC and the admin VMs to share a vSwitch, if they already share a physical network? We do not have the capacity to create a separate network or VLAN just for SC traffic. Our environment looks like this right now:

- 2 pNICS- SC & admin VM network (192.168.15.0/24 VLAN 0)

- 3 pNICS- Prod VM network (192.168.15.0/24 VLAN 1)

- 2 pNICS- VMKernel & SC (10.10.1.0/8)

-2 pNICS- vMotion (172.16.32.0/16)

Would it be worthwhile to create a fifth vSwitch just to house the admin VMs, so that they do not share a vSwitch and pNICS with the SC?

Reply
0 Kudos
Texiwill
Leadership
Leadership
‎12-08-2008 01:27 PM
Jump to solution

Hello,

Thank you. I think I may not have explained myself clearly enough. I was not proposing putting the Admin VMs and connections on the same vSwitch as the Production Server VMs. Rather, I was concerned about the SC being on the same vSwitch as the Admin VMs, since I do not believe this to be a best practice. In our environment, we have a single subnet for all of the VMs, separated into 2 subnets on the physical switches. We do not use (or want to use) VLAN tagging on the vSwitches. There are firewalls between each of our VLANs. Thus, the admin VMs are separated from the Production VLAN by a firewall. My real question is how big of a security issue is it for the SC and the admin VMs to share a vSwitch, if they already share a physical network? We do not have the capacity to create a separate network or VLAN just for SC traffic. Our environment looks like this right now:

Since they already share the same physical network sharing the same vSwitch is not a huge or any concern. Consider the vSwitch another part of your administrative network. The best practice is to place all virtualization administration servers and workstations within the same firewalled network. You have done this.

- 2 pNICS- SC & admin VM network (192.168.15.0/24 VLAN 0)

Works for me. I often use Administrative VMs and place them on the vSwitch with the SC. They are after all using the same network and the vSwitch is just another part of the network switch fabric.

- 3 pNICS- Prod VM network (192.168.15.0/24 VLAN 1)

Not sure I would use 3 but I leave that to you.

- 2 pNICS- VMKernel & SC (10.10.1.0/8)

This crosses security zones. I would instead use your administrative firewall to bridge the CHAP protocol ports between the IP Storage Network and the Administrative Network. What you have is a common practice but not the most secure as you now have 2 attack points into the service console, one from the administrative network and one from the IP Storage network. This could include the possibility of VMs who use iSCSI initiators. Since all you need is to have the SC participate for CHAP (whether you are using it or not), you could easily use your existing Administrative firewall to do this. You may have to fix a few things within your network to make this happen but it would be how I would approach this possible security concern.

-2 pNICS- vMotion (172.16.32.0/16)

sounds good.

Would it be worthwhile to create a fifth vSwitch just to house the admin VMs, so that they do not share a vSwitch and pNICS with the SC?

Not really. Same Security Zone.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos