Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DMZ VM's on Virtual Infrastructure 3.5

Posted on 2008-10-08
2
Medium Priority
?
974 Views
Last Modified: 2013-11-15
We have Virtual Infrastructure 3.5 implemented with all internal server's hosted on 2 ESX servers. We also have 4 DMZ VM's on ESXi as a standalone host. VMotion, DRS, HA are functional on the former. ESXi being a single host, obviously is missing the redundancy provided by the former. the reason for this setup is security related, we don;t want DMZ server on our local LAN. wouldn't VLAN tagging circumvent this issue? please provide your thoughts, personal experience. thanks
0
Comment
Question by:isnet
2 Comments
 
LVL 7

Accepted Solution

by:
BogdanSUA earned 375 total points
ID: 22670699
Yes and No.  Let me explain.

Yes...it would from the standpoint that VLANing isolates the traffic, but you would need a dedicated VMnic in each ESX server that could host the DMZ VLANs.  You could also share a NIC, on the same Vswitch but your security folks will have a field day with that topic.  Don't even bother.

No...from the standpoint that its not physical security.  If a rogue entity would somehow gain remote access to your private LAN or your DMZ LAN, they could modify the VLANing on the physical switches, access VC, and edit the VMs and wreak all sorts of havoc.  Highly unlikely, though.  Plausible if you watch Fox's 24.  :)

So to mitigate the above risk I would suggest that you place the Service Console of each ESX server in a non-routeable LAN.  You can then have your VCenter box have 2 NICs.  One in your trusted LAN with a default gateway, and one in the non-routeable VC/ESX Service Console LAN.  You would no longer be able to access the VMs using the VIC from any workstation on the network.  You would be forced to climb in the VirtualCenter server via RDP and then use the VIC there to connect to the local VC instance.

In the end you'd have 3 LANs.  Your existing corporate LAN, your DMZ LAN, and your ESX Service Console LAN.


0
 

Author Comment

by:isnet
ID: 22670769
thank you for your response, what you outlined is currently our configuration. we have a seperate vlans for the management portion, vmkernal, and vm network. what i was thinking about doing is creating two port groups, one for DMZ and one for LAN on the VM Network and trunk the physical ports on the switch. see jpg below
untitled.JPG
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question