Hello.

Can you clarify if the virtual machine is going to be connected to both networks or just the DMZ network you described?

Also be sure to check out the DMZ Virtualization with VMware Infrastructure Best Practices Guide.

Good Luck!

Hello,

Moved to Security forum.

My question is, if I connect this same host to our DMZ network using a separate physical interface and virtual switch for a VM that will reside in the DMZ , is there any potential threat that this DMZ VM were to be hacked that some type of software routing could be enabled on it that would use ESX to do any kind of routing to a VM, on the same host, that is connected to our internal network ?

No. The VM would be on the DMZ vSwitch with its own pNIC connected to its own pSwitch. This is the best way to connect the VM to the DMZ.

However ESX 3.5 has no per network controls so now your auditing must increase to ensure that only the specific VMs are on the DMZ portgroup, etc. Check out Texiwill's Topology Blogs for some assistance with this.

BTW, if you have a VM with two vNICs each connected to a different vSwitch then that VM can route between the vSwitches, this is why auditing MUST be increased.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]