Solved

Placing Web & App servers (VM) in the same or different VLANs

Posted on 2013-01-14
9
477 Views
Last Modified: 2013-01-16
I have 16 IIS Web servers (on VMs running Win 2008 R2 Std) &
8 App (Appfabric, MS HL7) servers (on VMs running Win 2008 R2 Std).

I'm deciding whether to place them on same VLAN/subnet   Or
Web servers on one VLAN/subnet (ie DMZ zone) & the App on
another (ie App zone).

Q1:
Is MS HL7/Appfabric considered app servers or people generally
treat it as web?

Q2:
There's quite a number of communications (persistent & non-
persistent) between the Web & the HL7/Appfabric (& several
other inhouse developed HL7 and .Net apps) & I'm thinking
if I could justify to place all of them into one single DMZ zone.
Is this a good idea?

Q3:
By placing them in different zones/VLANs, anyone foresee any
issue in the VMware/ESXi setup/configuration?  All the 16+8
VMs are running on 5 ESXi hosts.  Guess, I'll need to permit
both DMZ & App zones on the trunked ports of the switches
that the ESXi hosts are connected to.  Anything else?
0
Comment
Question by:sunhux
  • 5
  • 4
9 Comments
 
LVL 118

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE) earned 480 total points
ID: 38777189
Q1. Applicartion Servers

Q2. DMZ

Q3. No issues with VMware ESXi, using VLANs or Trunked Ports
0
 

Author Comment

by:sunhux
ID: 38777928
So inter-VLAN routing is handled by the layer 3 switch
or usually there's a firewall between the DMZ & App
zones/VLANs as well?
0
 

Author Comment

by:sunhux
ID: 38777943
One more question:

if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
0
 
LVL 118

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE)
Andrew Hancock (VMware vExpert / EE MVE) earned 480 total points
ID: 38777949
Yes, inter-vlan routing is usually enabled by your physical switches.

But when we work with clients, we put firewalls between DMZ and Production Networks, and we also tie the ports down or IP Addresses, so different servers in the DMZ cannot commiunicate with other servers in the DMZ.

So everything is isolated, and we have firewalls between the DMZ and Internet.

e.g.

Internet ---> Firewall ---> DMZ ---> Firewall ---> Production Networks (e.g. AD, DHCP, email, file servers etc)
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:sunhux
ID: 38778034
if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
0
 

Author Comment

by:sunhux
ID: 38778090
http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf
Just read the above: hmm, we never commit to the customer that we'll build
a virtualized DMZ for them in the design specs which the customer has just
signed off.

Without a virtualized DMZ, I really can't see any benefit in placing the
Web VMs & App VMs in separate VLANs, or is there still a security benefit?

Concerned that I may end up raising a lot of firewall rules later & if there's
inter-VLAN routing issues, going to have a lot to troubleshoot
0
 
LVL 118

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE)
Andrew Hancock (VMware vExpert / EE MVE) earned 480 total points
ID: 38778095
if you only need to serve internal users, no need for DMZ.
0
 

Author Comment

by:sunhux
ID: 38778264
Bear with me:  for internal users, is it still essential to put web &
app VMs in separate VLANs ?  I think if the inter-VLAN routing has a
Cisco ACL (access control lists) filtering, it may introduce a bit of delay:

http://social.msdn.microsoft.com/Forums/en/architecturegeneral/thread/f7262f04-4f8d-483e-863e-8a17171776d3
0
 
LVL 118

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE)
Andrew Hancock (VMware vExpert / EE MVE) earned 480 total points
ID: 38778676
I would not use different VLANs.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now