HI Everyone,
I currently have around 5 physical web servers sitting in a DMZ. My plan is to convert all of these web servers to virtual machines and host them on an ESXi server.
I would like to host the ESXi server actually within the DMZ, all vm's on the ESXi box would be public facing anyway. Does anybody know of a good reason not to do this from a security point of view.
I suppose my main concern would be the ESXi box being comprimised. Obviously I would restrict traffic through the firewall rules.
I'd love to know your thoughts on this and if anyone has done this before?
Many Thanks
Chris
Have a look at :
http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf
The VMs are unable to compromise the ESX host, so access to this is not an issue,
Your only real concern is that someone adds a Nic on the internal network to a VM in the DMZ, effectively bridging the DMZ into your network. (meaning that if someone compromises the VM in the DMZ with the extra NIC . . . the guilty person gets sacked) :smileyshocked:
Have a look at :
http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf
Also if shared storage is being used..., that becomes part of your firewall infrastructure. vmSafe in v4 is probably worth a look () as is a quality text like this.