Solved

DMZ VM's on Virtual Infrastructure 3.5

Posted on 2008-10-08
2
959 Views
Last Modified: 2013-11-15
We have Virtual Infrastructure 3.5 implemented with all internal server's hosted on 2 ESX servers. We also have 4 DMZ VM's on ESXi as a standalone host. VMotion, DRS, HA are functional on the former. ESXi being a single host, obviously is missing the redundancy provided by the former. the reason for this setup is security related, we don;t want DMZ server on our local LAN. wouldn't VLAN tagging circumvent this issue? please provide your thoughts, personal experience. thanks
0
Comment
Question by:isnet
2 Comments
 
LVL 7

Accepted Solution

by:
BogdanSUA earned 125 total points
ID: 22670699
Yes and No.  Let me explain.

Yes...it would from the standpoint that VLANing isolates the traffic, but you would need a dedicated VMnic in each ESX server that could host the DMZ VLANs.  You could also share a NIC, on the same Vswitch but your security folks will have a field day with that topic.  Don't even bother.

No...from the standpoint that its not physical security.  If a rogue entity would somehow gain remote access to your private LAN or your DMZ LAN, they could modify the VLANing on the physical switches, access VC, and edit the VMs and wreak all sorts of havoc.  Highly unlikely, though.  Plausible if you watch Fox's 24.  :)

So to mitigate the above risk I would suggest that you place the Service Console of each ESX server in a non-routeable LAN.  You can then have your VCenter box have 2 NICs.  One in your trusted LAN with a default gateway, and one in the non-routeable VC/ESX Service Console LAN.  You would no longer be able to access the VMs using the VIC from any workstation on the network.  You would be forced to climb in the VirtualCenter server via RDP and then use the VIC there to connect to the local VC instance.

In the end you'd have 3 LANs.  Your existing corporate LAN, your DMZ LAN, and your ESX Service Console LAN.


0
 

Author Comment

by:isnet
ID: 22670769
thank you for your response, what you outlined is currently our configuration. we have a seperate vlans for the management portion, vmkernal, and vm network. what i was thinking about doing is creating two port groups, one for DMZ and one for LAN on the VM Network and trunk the physical ports on the switch. see jpg below
untitled.JPG
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If we need to check who deleted a Virtual Machine from our vCenter. Looking this task in logs can be painful and spend lot of time, so the best way to check this is in the vCenter DB. Just connect to vCenter DB(default DB should be VCDB and using…
This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now