What is the recommended way of handing virtual machines that need to be placed in a DMZ? I'm thinking I could add an extra NIC to the physical box and set that VM to use only that NIC. However, wouldn't that also put the host machine in the DMZ? That is not what I want, but I can't think of a way to put a virtual machine in the DMZ without also putting the host machine in it as well. How does everyone else deal with this? Or do you just not put virtual machines in the DMZ?
We're lucky enough to have DMZ VLANs configured. Before we had that we used seperate physical NICs in the host like you are describing. With ESX server this is fine and does not put the host in the DMZ. For your service console and VMKernel you would use the NIC that is not in the DMZ.
Like impensb said, you can have a physical nic hooked up to the DMZ while your ESX host resides on your production network. We prefer to have physical nic seperation on our DMZ instead of using vLans. Out of our 6 phyiscal nic's, we have 2 dedicated to DMZ traffic on their own vSwitch and it has worked like a charm so far.
We were forced by our LAN/WAN guys to place a ESX server in the DMZ to handle guest for the DMZ. We wanted to use the route described above with adding another NIC or having a DMZ VLAN but were unable to sway the networking/security team .
If you found this or any other post helpful please consider the use of the Helpfull/Correct buttons to award points
We were forced by our LAN/WAN guys to place a ESX server in the DMZ to handle guest for the DMZ. We wanted to use the route described above with adding another NIC or having a DMZ VLAN but were unable to sway the networking/security team .
If you found this or any other post helpful please consider the use of the Helpfull/Correct buttons to award points
Ew....
I admittitly haven't tried ESX (yet), I've only messed around with the free server version. I'm also not a networking person, I'm more of a server guy.
However I'm pretty confused by these answers. If I have physical NIC on the host devoted to the DMZ, I know I can go into the guests and allow/disallow them access to the various physical NICs. That keeps the other guests out of the DMZ. But how does that keep the host out of the DMZ? It would see the phyiscal NIC, know about that IP address, etc, etc. Clarification please! Or a link explaining how this works would be just as good.
Hello,
For VMware Server the host is also within the DMZ if you add a pNIC that is also within the DMZ as the VMware Server product does not have the concept of a vSwitch. Since this is the Virtual Infrastructure forum the answers given where for ESX/VI3 and not for VMware Server. Hence the confusion.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
With VMware Server you have a host operating system like windows or linux which shares its resources (memory/disk/cpu) with any of the virtual machines running on top of a virtualization layer. The isolation between host and VM is pretty good, but there are a few escape vectors. Like the current one about using directory traversal techniques on a shared folder. (disable shared folders to eliminate the possibility)
The host OS controls the shared NIC as you would expect.
Now with ESX, the host operating system is also responsible for the virtualization layer. As you can imagine this means much better control for virtualization.
The NIC virtual hardware is only directly accessible by the vmkernel, so there is no direct access possible outside of your VM.
In the case where your VM is successfully hacked, it still doesn't give the hacker access to the host as there are NO known escape vectors where you break out of the VM in order to control the host. So while ESX still manages your virtual hardware, it only manages it as virtualizing the NIC, not by using it.
On a hosted product (like VMware Server or MS Virtual Server/Hyper V) your VM can only employ devices already used by the host OS.
This also explains why you should never expose your management network (that has the service console on it for example) to your VMs. Certainly not to VMs in the DMZ.
--
Wil