chrisb101
Contributor
Contributor

ESXi Server and DMZ Security

Jump to solution

HI Everyone,

I currently have around 5 physical web servers sitting in a DMZ. My plan is to convert all of these web servers to virtual machines and host them on an ESXi server.

I would like to host the ESXi server actually within the DMZ, all vm's on the ESXi box would be public facing anyway. Does anybody know of a good reason not to do this from a security point of view.

I suppose my main concern would be the ESXi box being comprimised. Obviously I would restrict traffic through the firewall rules.

I'd love to know your thoughts on this and if anyone has done this before?

Many Thanks

Chris

0 Kudos
1 Solution

Accepted Solutions
bulletprooffool
Champion
Champion
0 Kudos
3 Replies
bulletprooffool
Champion
Champion

The VMs are unable to compromise the ESX host, so access to this is not an issue,

Your only real concern is that someone adds a Nic on the internal network to a VM in the DMZ, effectively bridging the DMZ into your network. (meaning that if someone compromises the VM in the DMZ with the extra NIC . . . the guilty person gets sacked) :smileyshocked:

One day I will virtualise myself . . .
bulletprooffool
Champion
Champion
0 Kudos
J1mbo
Virtuoso
Virtuoso

Also if shared storage is being used..., that becomes part of your firewall infrastructure. vmSafe in v4 is probably worth a look () as is a quality text like this.

0 Kudos