Mixing DMZ and LAN Servers on a single HYper-V host

I am considering replacing a customers servers with a hyper-v based solution. They have 3 servers including a webserver which currently sits in a DMZ and a SQL server which sits on the LAN and is used my the webserver.

I would like to move these 2 servers onto one hyper-v host but on separate virtual switches linked to separate NICs.

The 3rd server I would like to add is a RDS server.

My questions is what is the best place for the webserver? Is it a security risk putting it on the same hyper-v server?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Yes, there is an increased risk in mixing VMs that would otherwise be separated by physical broadcast domains. Should an exploit be discovered in the hyper-v networking stack, it would allow greater access, much like an exploit on a physical machine could expose other machines if the compromise happens behind a firewall. Which, of course, is the only reason to implement a so-called DMZ. Virtualization doesn't change those basic traits either way.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
My suggestion is to set up your host with a minimum of two Intel i350T4 Quad-Port Gigabit NICs.

Your host's on board NICs would be teamed and used for management (tend to be Broadcom in Tier 1 boxes).

We would set up the i350T4 ports dedicated to each vSwitch mentioned (not shared with host):
Team 0: Ports 0, 1, 2: vSwitch - Production (VMs on this network would connect to your production network)
Team 1: Port 3: vSwitch - DMZ (Web Server VM on this vSwitch connected to your DMZ physical switch)

You could go further and set up the DMZ on a VLAN setup from edge to VM, say VLAN 99 tagged, and set each VM's vNIC to tag all packets VLAN 99 (found in the VM's Settings). At least a WebSmart switch would be required on the DMZ to allow VLAN configuration.

In a Hyper-V multi-tenant environment we would be doing something similar to the above though in a clustered setting where each tenant would be sitting on its own VLAN from Edge to VM.

EDIT: Our edge (SonicWall) would also be set up with VLAN tagging and Zoning to keep things separate from WAN port to LAN port. A dedicated cable would be connected between the SonicWall and the DMZ switch.
roy_battyDirectorAuthor Commented:
So that's a probably not and a yes go for it. Any other points to add to this discussion?
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Have a good IPS (Intrusion Protection System) in place either on the edge or before the edge.

If there is a need to connect to the server(s) on the DMZ a secured path via Internet would be one way (SSH/RDP inbound limited to public IP of production WAN). If there is a need to connect the DMZ to the production network then a virtual edge would be required (SOPHOS would be one that comes to mind) with a vNIC on both networks. Of course, filtering packets through that vEdge would be a given.
roy_battyDirectorAuthor Commented:
The webserver will need to connect to sql server on the production side. Please tell me more about this virtual edge?
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
You can download a copy of SOPHOS UTM from their Web site. It's an ISO that can be mounted in a VM's optical drive. Boot it, install it, and configure the edge services. The product is not free but works quite well.

Make sure your setup is configured against and tested for SQL Injection attacks.
roy_battyDirectorAuthor Commented:
OK I will take a look.

I have also come across 5Nine Cloud Security for Hyper-V Free edition which seems very easy to use.

Does anyone have an opinion about this product?
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
They have some pretty good things going on via folks I've spoken with though I've not worked with any of their products firsthand.
roy_battyDirectorAuthor Commented:
Thanks for advice on this guys
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.