VMware Cloud Community
chrisb101
Contributor
Contributor
‎08-27-2009 09:09 AM
Jump to solution

ESXi Server and DMZ Security

HI Everyone,

I currently have around 5 physical web servers sitting in a DMZ. My plan is to convert all of these web servers to virtual machines and host them on an ESXi server.

I would like to host the ESXi server actually within the DMZ, all vm's on the ESXi box would be public facing anyway. Does anybody know of a good reason not to do this from a security point of view.

I suppose my main concern would be the ESXi box being comprimised. Obviously I would restrict traffic through the firewall rules.

I'd love to know your thoughts on this and if anyone has done this before?

Many Thanks

Chris

Reply
0 Kudos
1 Solution

Accepted Solutions
bulletprooffool
Champion
Champion
‎08-27-2009 09:46 AM
Jump to solution

Have a look at :

http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

One day I will virtualise myself . . .

View solution in original post

Reply
0 Kudos
3 Replies
bulletprooffool
Champion
Champion
‎08-27-2009 09:44 AM
Jump to solution

The VMs are unable to compromise the ESX host, so access to this is not an issue,

Your only real concern is that someone adds a Nic on the internal network to a VM in the DMZ, effectively bridging the DMZ into your network. (meaning that if someone compromises the VM in the DMZ with the extra NIC . . . the guilty person gets sacked) :smileyshocked:

One day I will virtualise myself . . .
Reply
bulletprooffool
Champion
Champion
‎08-27-2009 09:46 AM
Jump to solution

Have a look at :

http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

One day I will virtualise myself . . .
Reply
0 Kudos
J1mbo
Virtuoso
Virtuoso
‎08-27-2009 12:26 PM
Jump to solution

Also if shared storage is being used..., that becomes part of your firewall infrastructure. vmSafe in v4 is probably worth a look () as is a quality text like this.

Reply
0 Kudos