Recommended security architecture for VM internet solution

Dear Experts,

I am testing a virtual solution (XenServer based) where I have 3 virtual machines:

1)      A firewall
2)      A web server
3)      A database server

All are linux based machines.

All 3 have public addresses in the same network (ex: x.x.x.50 (firewall), x.x.x.51 (web server) and x.x.x.52 (database server)).

The host has a single network card directly connected to the internet.

I want the firewall to block all the traffic except ports 80 to the web server.

I would like to know the best architecture recommended for such solution.

Thank you,
Luis Miguel
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Create an internal Virtual network and attach the web and DB servers to that network. Then add a second NIC to the firewall and attach it to the net as well.

Then use the Firewall specific procedure to publish the web site.

If so, remove the management IP from the PUBLIC network (with a a VLAN on the Switch, or assign the IP to another NIC on the HOST, not connected)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LMGONCAAuthor Commented:
Dear ienaxxx,

Question: when you mean to remove the management IP from the PUBLIC network - I believe this cannot be done as only 1 nic exists in the machine, right?

NO, it's feasible if you have a switch that supports 802.1q (VLANs)
The only thing you need is to assign the port multiple vlans (it's OK to leave the previous as "native", so you don't have to reconfigure a lot of things): the previous one and a new or existing one dedicated to management.

Anyway, if you can't, you can assign an IP that is not published, if you connect directly to the switch and assign a compatible IP to your machine...

Alternatively, if your VM solution support the use of access lists regarding the management IP, you can set the management interface to let connect only your class of IP.

Here are three solutions to restrict management access to your server from the public. When i started writing i thought there was one. :-)

Hope this helps.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.