Solved

DMZ VM's on Virtual Infrastructure 3.5

Posted on 2008-10-08
2
963 Views
Last Modified: 2013-11-15
We have Virtual Infrastructure 3.5 implemented with all internal server's hosted on 2 ESX servers. We also have 4 DMZ VM's on ESXi as a standalone host. VMotion, DRS, HA are functional on the former. ESXi being a single host, obviously is missing the redundancy provided by the former. the reason for this setup is security related, we don;t want DMZ server on our local LAN. wouldn't VLAN tagging circumvent this issue? please provide your thoughts, personal experience. thanks
0
Comment
Question by:isnet
2 Comments
 
LVL 7

Accepted Solution

by:
BogdanSUA earned 125 total points
ID: 22670699
Yes and No.  Let me explain.

Yes...it would from the standpoint that VLANing isolates the traffic, but you would need a dedicated VMnic in each ESX server that could host the DMZ VLANs.  You could also share a NIC, on the same Vswitch but your security folks will have a field day with that topic.  Don't even bother.

No...from the standpoint that its not physical security.  If a rogue entity would somehow gain remote access to your private LAN or your DMZ LAN, they could modify the VLANing on the physical switches, access VC, and edit the VMs and wreak all sorts of havoc.  Highly unlikely, though.  Plausible if you watch Fox's 24.  :)

So to mitigate the above risk I would suggest that you place the Service Console of each ESX server in a non-routeable LAN.  You can then have your VCenter box have 2 NICs.  One in your trusted LAN with a default gateway, and one in the non-routeable VC/ESX Service Console LAN.  You would no longer be able to access the VMs using the VIC from any workstation on the network.  You would be forced to climb in the VirtualCenter server via RDP and then use the VIC there to connect to the local VC instance.

In the end you'd have 3 LANs.  Your existing corporate LAN, your DMZ LAN, and your ESX Service Console LAN.


0
 

Author Comment

by:isnet
ID: 22670769
thank you for your response, what you outlined is currently our configuration. we have a seperate vlans for the management portion, vmkernal, and vm network. what i was thinking about doing is creating two port groups, one for DMZ and one for LAN on the VM Network and trunk the physical ports on the switch. see jpg below
untitled.JPG
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question