VMware Cloud Community
jof
Enthusiast
Enthusiast
‎01-09-2011 02:05 PM

vShield + DMZ

Hi,

Just a general question on vShield.

In a network with a physical firewall with a DMZ configured. The ESX host has a dedicated vSwitch and pNIC to connect to this DMZ (separate vSwitch and pNIC for internal LAN), is there any need for the use of vShield zones or vShield Edge? What benefits could they bring to a scenario like this?

Thanks

0 Kudos
2 Replies
admin
Immortal
Immortal
‎01-10-2011 09:20 PM

Zones/App can be used in this case for VM to VM firewalling.  For example you can prevent the web servers in the DMZ from communicating with each other.  This is a common practice with the use of PVLANs, but can also be done with vShield App in a simpler manner.  App will also allow you to do this for your internal VMs.  Essentially providing another layer of protection that is very difficult, if not impossible to do in a meaningful way with physical tools or agents.

Edge in this case probably wouldn't provide any added benefit other than allowing you to replace the physical firewall.

0 Kudos
jof
Enthusiast
Enthusiast
‎01-12-2011 08:33 AM

Thanks for the info. I realise that it was a very general question, at the moment I'm trying to see where each of these products sit (and looking at possible use cases). The PVLAN case does seem to be an obvious one, now that you've pointed it out Smiley Happy (vDS would also give this ability I think)

My understanding (correct if I'm wrong) is that App is essentially the same as zones with the added benefits of:

  • packet inspection
  • apply policies based on groups

Are there any other benefits to vShield App?

Edge is obviously a firewall product that does NAT, DHCP and can be a VPN endpoint. (useful in a cloud infrastructure maybe)

Using the case of a host with 10GB interfaces and the connections being trunk connections and traffic segregated with vLANs, i don't think there would be any point segregating the VMs by vLAN grouping using vShield as an extra layer of security (for those that believe a VLAN is not a security perimeter), as there would be no similar protection on the physical switch.

I guess the key is that this protection covers the virtual environment and if there is crossover onto physical infrastructure and it does not provide similar protection then there is no point. However, if you want mange VM to VM communication (VDI deployment, PVLAN, etc) then vShield is useful.

If i'm wide of the mark let me know.

0 Kudos