Link to home
Start Free TrialLog in
Avatar of wburgiss5805
wburgiss5805Flag for United States of America

asked on

Security for virtualizing DMZ servers on your internal production hardware and storage

If we wanted to run our DMZ servers on our internal production hypervisors and storage (iscsi) does that cause any security concerns? I haven’t really heard of anyone hacking their way from one virtual machine to dom0 or to another virtual machine on that hypervisor. Is that a best practice or do most shops have separate physical storage and hardware for their DMZ virtual servers? If this is an acceptable practice are their additional things we should do to ensure it is secured?
Avatar of d3ath5tar
d3ath5tar
Flag of United Kingdom of Great Britain and Northern Ireland image

Sharing equipment for DMZ/LAN kind of negates the point of a LAN. We run seperate DMZ/LAN virtual environments.

It must be possible to hack out from one VM to another via the hypervisor otherwise VMWare wouldn't have had to introduce a virtual firewall between VMs (on certain editions.....)
SOLUTION
Avatar of Svet Paperov
Svet Paperov
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you are a smaller environment, then it is reasonable to use production hosts for DMZ VMs if the VMs use a separate physical NIC dedicated to the DMZ. If you are a high value target, use dedicated equipment and possibly even an air gapped network. I would not me the VM have direct iSCSI access to production storage. FC is probably okay is you know how to zone properly.

Breakout issues from the VM to the host are very rare.