Hi All.
We are dropping in an initially two node VI into an existing network with 3 physical subnets - A, B, C. The servers will have 10 network ports available, so the initial plan was to attach two ports to each subnet. Now, there is a security concern that there is a physical box attached to all three networks that is physically bypassing the firewalls (although they should be secure if the vSwitches are setup properly so that inter-subnet comm goes through the physcial NICs). With servers shipping as we speak and us being VMWare green, we are trying to conceptually plan the Virtual infrastructure as much as we can ahead of time. So, some of the questions we have is...
1. What would be the more secure setup while minimizing complexity/overhead especially with the plan to scale out -
a. a NIC to each physical subnet,
OR
b. all NICs to one physical switch with VLAN trunking to the other subnets
2. Which of the above would provide the smaller attack vector to physical ESX box's OS?
3. Conceptually, when setting up 1a, does each physical NIC need an actual IP address to its subnet? The concern is then the physical NIC adapter is a direct attack vector to the ESX host OS if an IP is indeed associated.
4. Any good documents/discussion out there of PROs, CONS, or network security concerns?
Thanks
Hi, and welcome to the forums.
The NIC on an ESX box does not have an IP assigned to it or a MAC address, it acts as a physical connector to your network for the VMs. The VMs IPs and MACs will appear on that NIC interface but unless you have a service console port or vmkernel connection on a vSwitch connected to that NIC you can not access the virtualization layer or its management layer.
You need to look at how important security comes into your consideration when working out your design. There are a number of options that increase or decrease flexibility and security, weighing one against the other. One option is that if you have two subnets, which if connected to the same physical box but without IP layer connectivity, is seen as a low risk you could put that on one physical host and put the high risk subnet on another physical box. This would obviously not enable Vmotion but provide physical machine separation, rather than just network interface.
IMO I would go for option 1b for flexibility but if you want more separation you could do 1a. Search around the forums for some more detailed guides.
Thanks for verifying the IP address concern, George_B.
Seperation will most likely be the defining decision maker for our organization. Virtualization is still a "prove it to me" stage and many of the networking, security/firewalling, and systems administration are compartmentalize to different teams... which would make option 1b more of political nightmare because of the decisions and clearance involved to make something happen. Overlayed with the fact that there is still a "no confidence" or clear understanding in the idea of virtualization, it's an uphill battle I'd rather not take unless the security benefits outweighs the headache.
1a puts the control within the various teams realms, which makes the others feel part of the solution. 1b puts everything into the virtual admins hands and little to the other teams after the initial setup, which might make the others uneasy.
We are also using Intel quadport cards, which I head might still have VLAN trunking issues.... so 1b might not as desirable anyway.... Had an IP been needed on 1a, then 1b would have been the necesaarry way to go.
Thanks for the clarification!
Yes I believe the Intel cards do still have issues with VLAN trunking.
Luckily I run an environment where I manage the network so the political hassle is less of a problem for me, but I understand your issues of getting people to understand the concepts so they will get on board. The environment has many separate physical networks so I have a configuration like 1a, it is also easier to manage in the VI client as the VMs and network connections are split off into separate vSwitches making it easier to see the connections. Bulking them all into one vSwitch with a mass of aggregated NICs does not show you the connections as easily.
Try and get one of the guys from your network team interested in the virtualization and they will soon see how it works (there are limited networking features in ESX compared to a real switch so they should grab it easily) and it will alleviate their worries.