wburgiss5805
asked on
Security for virtualizing DMZ servers on your internal production hardware and storage
If we wanted to run our DMZ servers on our internal production hypervisors and storage (iscsi) does that cause any security concerns? I haven’t really heard of anyone hacking their way from one virtual machine to dom0 or to another virtual machine on that hypervisor. Is that a best practice or do most shops have separate physical storage and hardware for their DMZ virtual servers? If this is an acceptable practice are their additional things we should do to ensure it is secured?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are a smaller environment, then it is reasonable to use production hosts for DMZ VMs if the VMs use a separate physical NIC dedicated to the DMZ. If you are a high value target, use dedicated equipment and possibly even an air gapped network. I would not me the VM have direct iSCSI access to production storage. FC is probably okay is you know how to zone properly.
Breakout issues from the VM to the host are very rare.
Breakout issues from the VM to the host are very rare.
It must be possible to hack out from one VM to another via the hypervisor otherwise VMWare wouldn't have had to introduce a virtual firewall between VMs (on certain editions.....)