(Sorry, I initially put this in the ESX 3.0 forum but not sure how to move it)
I remember at one time having a DMZ NIC and Private NIC on the same host was once recommended against because of security risks. When I was at VMworld in the security lab, the engineers said there is absolutely no problem with doing that. Doing this would save me from having to create a 2nd HA cluster, not to mention licensing.
What is the common practice now? I was just wondering what you guys are doing and your thoughts?
IMO - Having physical DMZ pNIC seperation from the rest of your network traffic is about the best you can do besides buying DMZ ESX hosts... which is a major money expense. We run physical seperation of our DMZ network over physicall different pNICs so there is no chance of bleeding or VLAN jumping (somehow).
Kyle
Hello,
I would read http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf for starters.
IMO - Having physical DMZ pNIC seperation from the rest of your network traffic is about the best you can do besides buying DMZ ESX hosts... which is a major money expense. We run physical seperation of our DMZ network over physicall different pNICs so there is no chance of bleeding or VLAN jumping (somehow).
You will need a separate set of pNICs dedicated to your DMZ. DO not use VLANs when doing this as out side the virtual network the attacks can still happen. You are best off using a dedicated set of pNICs just for the DMZ. These pNICs should not belong to any other vSwitches but the DMZ vSwitch, etc.
The document will give you some ideas.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Great! Thanks guys