Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

DMZ VM's on Virtual Infrastructure 3.5

Posted on 2008-10-08
2
Medium Priority
?
972 Views
Last Modified: 2013-11-15
We have Virtual Infrastructure 3.5 implemented with all internal server's hosted on 2 ESX servers. We also have 4 DMZ VM's on ESXi as a standalone host. VMotion, DRS, HA are functional on the former. ESXi being a single host, obviously is missing the redundancy provided by the former. the reason for this setup is security related, we don;t want DMZ server on our local LAN. wouldn't VLAN tagging circumvent this issue? please provide your thoughts, personal experience. thanks
0
Comment
Question by:isnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
BogdanSUA earned 375 total points
ID: 22670699
Yes and No.  Let me explain.

Yes...it would from the standpoint that VLANing isolates the traffic, but you would need a dedicated VMnic in each ESX server that could host the DMZ VLANs.  You could also share a NIC, on the same Vswitch but your security folks will have a field day with that topic.  Don't even bother.

No...from the standpoint that its not physical security.  If a rogue entity would somehow gain remote access to your private LAN or your DMZ LAN, they could modify the VLANing on the physical switches, access VC, and edit the VMs and wreak all sorts of havoc.  Highly unlikely, though.  Plausible if you watch Fox's 24.  :)

So to mitigate the above risk I would suggest that you place the Service Console of each ESX server in a non-routeable LAN.  You can then have your VCenter box have 2 NICs.  One in your trusted LAN with a default gateway, and one in the non-routeable VC/ESX Service Console LAN.  You would no longer be able to access the VMs using the VIC from any workstation on the network.  You would be forced to climb in the VirtualCenter server via RDP and then use the VIC there to connect to the local VC instance.

In the end you'd have 3 LANs.  Your existing corporate LAN, your DMZ LAN, and your ESX Service Console LAN.


0
 

Author Comment

by:isnet
ID: 22670769
thank you for your response, what you outlined is currently our configuration. we have a seperate vlans for the management portion, vmkernal, and vm network. what i was thinking about doing is creating two port groups, one for DMZ and one for LAN on the VM Network and trunk the physical ports on the switch. see jpg below
untitled.JPG
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question