Recommended security architecture for VM internet solution

Dear Experts,

I am testing a virtual solution (XenServer based) where I have 3 virtual machines:

1)      A firewall
2)      A web server
3)      A database server

All are linux based machines.

All 3 have public addresses in the same network (ex: x.x.x.50 (firewall), x.x.x.51 (web server) and x.x.x.52 (database server)).

The host has a single network card directly connected to the internet.

I want the firewall to block all the traffic except ports 80 to the web server.

I would like to know the best architecture recommended for such solution.

Thank you,
Luis Miguel
Who is Participating?
ienaxxxConnect With a Mentor Commented:
Create an internal Virtual network and attach the web and DB servers to that network. Then add a second NIC to the firewall and attach it to the net as well.

Then use the Firewall specific procedure to publish the web site.

If so, remove the management IP from the PUBLIC network (with a a VLAN on the Switch, or assign the IP to another NIC on the HOST, not connected)

LMGONCAAuthor Commented:
Dear ienaxxx,

Question: when you mean to remove the management IP from the PUBLIC network - I believe this cannot be done as only 1 nic exists in the machine, right?

NO, it's feasible if you have a switch that supports 802.1q (VLANs)
The only thing you need is to assign the port multiple vlans (it's OK to leave the previous as "native", so you don't have to reconfigure a lot of things): the previous one and a new or existing one dedicated to management.

Anyway, if you can't, you can assign an IP that is not published, if you connect directly to the switch and assign a compatible IP to your machine...

Alternatively, if your VM solution support the use of access lists regarding the management IP, you can set the management interface to let connect only your class of IP.

Here are three solutions to restrict management access to your server from the public. When i started writing i thought there was one. :-)

Hope this helps.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.