Hi All,

I am in the process of moving server room into the datacenter and it  is a good time to review current setup for security zones.We are using  Vsphere 4 Standard  and  Cisco ASA 5510 firewall.  At the moment firewall is a single connection point for all  DMZ, LAN ,  WAN and Backend zones, so all traffic between all zones traverses this  100 Mb/s firewall device.

This worked for a while however new services we deploy will require  fast connection between some zones,i.e. database queries and file  transfers, so 100Mb/s will become a bottleneck.

One of the possible solution  offered for DMZ:

- use separate VNICs for each DMZ host, one for external connection used  by customers accessing it from WAN, one for connecting to Backend/LAN  zones. - As a result,VNIC1 is connected to firewall for filtering external  untrusted connections.VNIC2 however, bypases firewall and all filtering  is done on iptables level or Windows 2008 firewall.This solves the  problem of bandwidth limitations between DMZ and Backend imposed by  firewall.

This design however removes centralized security model we used to  have with one appliance and creates management headache with scattered  iptables setups tied up to the servers. There should be a better way to do it.What would you suggest? I have a  feeling that features in Vsphere Enterprise Plus may help here , e.g.  distributed switch and vShield zones. We are planning to get it next  year but even if it helps we still need to have some solution.
I would appreciate any advice or reading material,

Thanks a lot!