I am trying to setup a lab of virtual machines for various purposes. This lab will be used by me and a few other people and will require external access to the system containing vSphere. Aside from the jump box containing vSphere that those using the lab will log into for access, none of the other VMs in the lab will require external access (I will not be running web servers, mail servers, etc ... these are strictly for testing purposes). That being said, I am looking for advice on how to harden my ESXi installation and suggestions on how I have my setup laid out. Please note I am limited on hardware so some solutions may not be optimal. I appreciate all the help in advace though.
So, here is how my network is currently laid out ...
My internet connection comes in, and connects into the WAN of my PFSense firewall. From my firewall, I have a trusted connection going to a Cisco Layer 3 switch. The connection between the firewall and the switch is just a transit link with a /30 IP. That switch is broken up into two separate VLANs, one for the WLAN and one for the LAN. Each VLAN is assigned an IP and static routing is setup. Ideally I'd like to prevent routing between my WLAN and LAN, though it seems once I set an IP on the VLAN, whether I have ip-routing enabled or not they can still route to one another so I may need to setup an ACL ... thats a different issue unless someone has insight into that.
So, putting my ESXi lab in the mix ... I plan to connect my ESXi host off the third interface of my firewall, the Orange/DMZ interface. This will isolate my lab from my internal network and my core switch, and seems like the best most secure option given the hardware I have. Please correct me if I'm wrong though.
One of those ESXi VMs will be a "jump server". This system will contain vSphere and will also have access to the other VMs within that network. I plan to setup a custom rule in my firewall that will only allow inbound traffic from specified IPs to that jump server, and block all other inbound access. I will also setup a custom rule to block connectivity to and from my internal LAN to and from the VMs, thus requiring me to connect externally into my jump server for local access. I do plan to allow the other lab VMs to establish outbound connections simply for the purposes of updates, or to download any necessary tools and such needed.
Hopefully all that makes sense. Any advice on my setup, or how I am approaching it would be appreciated. Also, I am always leary about letting any form of external access into my network. Any advince on how to secure ESXi would be greatly appreciated, as I am also reading some online materal. The only other question I have is during the setup when ESXi asks you for the management network, is this the network which the vSphere client sits or is this a management network from the perspective of out-of-band management, SNMP, monitoring, etc? And with my current setup, how would I securely incorporate a mangaement connection into ESXi?
Thanks in advance for all the help and hopefully what I am asking makes sense.