Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

To DMZ or Not DMZ - A definitive guide

Status
Not open for further replies.

Tubes

Technical User
Jul 5, 2002
32
GB
I've been asked to explore the idea of using Vi3 to create a DMZ. I've been looking at the various resources on the web available to determine if it's a viable solution and have found that most people are fence sitting on this option. It appears that most solution providers (both vendors and users of VMWare) are biased on this point and I'm looking for real world success and horror stories. Any links would be helpful as would any direct dialog. TIA.

Tubes
 
I guess I'm unclear how/why you would use VI3 instead of your firewall to setup a properly configured DMZ.
 
Tubes-

Use a pix (506 or 515) if that is the flavor you choose or anyone will do (Checkpoint, Juniper) and create a dmz boundary.. from there I guess with the specific IP address range you could then create your dmz'd virtual environment. What vm's are you looking to place in the dmz? webservers, mail relay boxes?

There some strange phenomena out there..

geranimo
 
My only concern about using VMware in the DMZ is when you mix DMZ sessions and non-DMZ sessions on the same host. There is always the possibility that someone could accidentally add the DMZ virtual switch to a non-DMZ host; or worst, add the core network vswitch and the DMZ vswitch to the same guest thereby bypassing a firewall.
 
Hosting Web servers,FTP servers etc. with internal application servers on the same VM host...I believe there are several areas of concern including:

Shared Physical Resources
HyperVisor
Transparent Page Sharing (Shared Memory)
Simple admin mistakes (as Arisap has pointed out)
VMWare is software and like all software it isn't bug free
Hackers and Malware writers are targeting VM systems

My personnel preference would be to keep DMZ servers on separate physicals boxes isolated from the VM systems by a leading Firewall.
 
We have a lot of VI3 servers that run both DMZ and none-DMZ guests.
I agree with what Arisap wrote.

In our installation we don't have any posibility to bypass firewall by mistake. There isn't any LAN connections to the outside in our normal production computer rooms.

And we tag both the LAN ports and the server NIC.

So the risk is "only" to add a guest to the wrong LAN and that wouldn't be a big problem since it would still have it's fixed IP number that wouldn't be routed.

/johnny
 
I agree with Tubes. There are too many risks. The best option is to deploy a seperate ESX host for the DMZ sessions that shares no resources with core services. It may be a paraniod viewpoint, but even paraniods have enemies, and sometimes thay are after you ;-)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top