I currently have around 5 physical web servers sitting in a DMZ. My plan is to convert all of these web servers to virtual machines and host them on an ESXi server.
I would like to host the ESXi server actually within the DMZ, all vm's on the ESXi box would be public facing anyway. Does anybody know of a good reason not to do this from a security point of view.
I suppose my main concern would be the ESXi box being comprimised. Obviously I would restrict traffic through the firewall rules.
I'd love to know your thoughts on this and if anyone has done this before?
The VMs are unable to compromise the ESX host, so access to this is not an issue,
Your only real concern is that someone adds a Nic on the internal network to a VM in the DMZ, effectively bridging the DMZ into your network. (meaning that if someone compromises the VM in the DMZ with the extra NIC . . . the guilty person gets sacked) :smileyshocked: