Recommended security architecture for VM internet solution
Dear Experts,
I am testing a virtual solution (XenServer based) where I have 3 virtual machines:
1) A firewall
2) A web server
3) A database server
All are linux based machines.
All 3 have public addresses in the same network (ex: x.x.x.50 (firewall), x.x.x.51 (web server) and x.x.x.52 (database server)).
The host has a single network card directly connected to the internet.
I want the firewall to block all the traffic except ports 80 to the web server.
I would like to know the best architecture recommended for such solution.
Thank you,
Luis Miguel
I am testing a virtual solution (XenServer based) where I have 3 virtual machines:
1) A firewall
2) A web server
3) A database server
All are linux based machines.
All 3 have public addresses in the same network (ex: x.x.x.50 (firewall), x.x.x.51 (web server) and x.x.x.52 (database server)).
The host has a single network card directly connected to the internet.
I want the firewall to block all the traffic except ports 80 to the web server.
I would like to know the best architecture recommended for such solution.
Thank you,
Luis Miguel
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
NO, it's feasible if you have a switch that supports 802.1q (VLANs)
The only thing you need is to assign the port multiple vlans (it's OK to leave the previous as "native", so you don't have to reconfigure a lot of things): the previous one and a new or existing one dedicated to management.
Anyway, if you can't, you can assign an IP that is not published, if you connect directly to the switch and assign a compatible IP to your machine...
Alternatively, if your VM solution support the use of access lists regarding the management IP, you can set the management interface to let connect only your class of IP.
Here are three solutions to restrict management access to your server from the public. When i started writing i thought there was one. :-)
Hope this helps.
Goodbye!
The only thing you need is to assign the port multiple vlans (it's OK to leave the previous as "native", so you don't have to reconfigure a lot of things): the previous one and a new or existing one dedicated to management.
Anyway, if you can't, you can assign an IP that is not published, if you connect directly to the switch and assign a compatible IP to your machine...
Alternatively, if your VM solution support the use of access lists regarding the management IP, you can set the management interface to let connect only your class of IP.
Here are three solutions to restrict management access to your server from the public. When i started writing i thought there was one. :-)
Hope this helps.
Goodbye!
ASKER
Question: when you mean to remove the management IP from the PUBLIC network - I believe this cannot be done as only 1 nic exists in the machine, right?
Regards,
LMG