Mixing DMZ and LAN Servers on a single HYper-V host

I am considering replacing a customers servers with a hyper-v based solution. They have 3 servers including a webserver which currently sits in a DMZ and a SQL server which sits on the LAN and is used my the webserver.

I would like to move these 2 servers onto one hyper-v host but on separate virtual switches linked to separate NICs.

The 3rd server I would like to add is a RDS server.

My questions is what is the best place for the webserver? Is it a security risk putting it on the same hyper-v server?
LVL 1
roy_battyDirectorAsked:
Who is Participating?
 
Cliff GaliherCommented:
Yes, there is an increased risk in mixing VMs that would otherwise be separated by physical broadcast domains. Should an exploit be discovered in the hyper-v networking stack, it would allow greater access, much like an exploit on a physical machine could expose other machines if the compromise happens behind a firewall. Which, of course, is the only reason to implement a so-called DMZ. Virtualization doesn't change those basic traits either way.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
My suggestion is to set up your host with a minimum of two Intel i350T4 Quad-Port Gigabit NICs.

Your host's on board NICs would be teamed and used for management (tend to be Broadcom in Tier 1 boxes).

We would set up the i350T4 ports dedicated to each vSwitch mentioned (not shared with host):
Team 0: Ports 0, 1, 2: vSwitch - Production (VMs on this network would connect to your production network)
Team 1: Port 3: vSwitch - DMZ (Web Server VM on this vSwitch connected to your DMZ physical switch)

You could go further and set up the DMZ on a VLAN setup from edge to VM, say VLAN 99 tagged, and set each VM's vNIC to tag all packets VLAN 99 (found in the VM's Settings). At least a WebSmart switch would be required on the DMZ to allow VLAN configuration.

In a Hyper-V multi-tenant environment we would be doing something similar to the above though in a clustered setting where each tenant would be sitting on its own VLAN from Edge to VM.

EDIT: Our edge (SonicWall) would also be set up with VLAN tagging and Zoning to keep things separate from WAN port to LAN port. A dedicated cable would be connected between the SonicWall and the DMZ switch.
0
 
roy_battyDirectorAuthor Commented:
So that's a probably not and a yes go for it. Any other points to add to this discussion?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Have a good IPS (Intrusion Protection System) in place either on the edge or before the edge.

If there is a need to connect to the server(s) on the DMZ a secured path via Internet would be one way (SSH/RDP inbound limited to public IP of production WAN). If there is a need to connect the DMZ to the production network then a virtual edge would be required (SOPHOS would be one that comes to mind) with a vNIC on both networks. Of course, filtering packets through that vEdge would be a given.
0
 
roy_battyDirectorAuthor Commented:
The webserver will need to connect to sql server on the production side. Please tell me more about this virtual edge?
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
You can download a copy of SOPHOS UTM from their Web site. It's an ISO that can be mounted in a VM's optical drive. Boot it, install it, and configure the edge services. The product is not free but works quite well.

Make sure your setup is configured against and tested for SQL Injection attacks.
0
 
roy_battyDirectorAuthor Commented:
OK I will take a look.

I have also come across 5Nine Cloud Security for Hyper-V Free edition which seems very easy to use.

Does anyone have an opinion about this product?
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
They have some pretty good things going on via folks I've spoken with though I've not worked with any of their products firsthand.
0
 
roy_battyDirectorAuthor Commented:
Thanks for advice on this guys
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.