Solved

DMZ VM's on Virtual Infrastructure 3.5

Posted on 2008-10-08
2
957 Views
Last Modified: 2013-11-15
We have Virtual Infrastructure 3.5 implemented with all internal server's hosted on 2 ESX servers. We also have 4 DMZ VM's on ESXi as a standalone host. VMotion, DRS, HA are functional on the former. ESXi being a single host, obviously is missing the redundancy provided by the former. the reason for this setup is security related, we don;t want DMZ server on our local LAN. wouldn't VLAN tagging circumvent this issue? please provide your thoughts, personal experience. thanks
0
Comment
Question by:isnet
2 Comments
 
LVL 7

Accepted Solution

by:
BogdanSUA earned 125 total points
ID: 22670699
Yes and No.  Let me explain.

Yes...it would from the standpoint that VLANing isolates the traffic, but you would need a dedicated VMnic in each ESX server that could host the DMZ VLANs.  You could also share a NIC, on the same Vswitch but your security folks will have a field day with that topic.  Don't even bother.

No...from the standpoint that its not physical security.  If a rogue entity would somehow gain remote access to your private LAN or your DMZ LAN, they could modify the VLANing on the physical switches, access VC, and edit the VMs and wreak all sorts of havoc.  Highly unlikely, though.  Plausible if you watch Fox's 24.  :)

So to mitigate the above risk I would suggest that you place the Service Console of each ESX server in a non-routeable LAN.  You can then have your VCenter box have 2 NICs.  One in your trusted LAN with a default gateway, and one in the non-routeable VC/ESX Service Console LAN.  You would no longer be able to access the VMs using the VIC from any workstation on the network.  You would be forced to climb in the VirtualCenter server via RDP and then use the VIC there to connect to the local VC instance.

In the end you'd have 3 LANs.  Your existing corporate LAN, your DMZ LAN, and your ESX Service Console LAN.


0
 

Author Comment

by:isnet
ID: 22670769
thank you for your response, what you outlined is currently our configuration. we have a seperate vlans for the management portion, vmkernal, and vm network. what i was thinking about doing is creating two port groups, one for DMZ and one for LAN on the VM Network and trunk the physical ports on the switch. see jpg below
untitled.JPG
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Using Adobe Premiere Pro, the viewer will learn how to set up a sequence with proper settings, importing pictures, rendering, and exporting the finished product.
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now