Thursday, July 28, 2011

Qs on DMZ in VMWare

Here is a good article explaining DMZ in the virtualization environment.

I was not clear about how to play DMZ in the VM so I posted this question and got the answer from Edward L. Haletky.
Original Post:

So you have the following:

vminc0 --> a physical switch --> Linksys Internet router --> Internet

Not what I would do, why? Because vmnic0 is often used by the Management Appliance in ESXi or the Service Console in ESX, therefore you rather not do this. THe full picture is....

Mgmt <-> vSwitch0 <-> pNIC (vmnic0) <-> pSwitch <-> Router <-> Outside

What you really want is:

Mgmt/Internal <-> vSwitch0 <-> pNIC (vmnic0,vmnic2) <-> pSwitchI

DMZ  <-> vSwitchD <-> vFW <-> vSwitch1 <-> pNIC (vmnic1) <-> pSwitchE <-> Router <-> Outside

Then I would bridge vSwitch0 and vSwitch2 with a vFW. You really want two physical switches one for DMZ and one for internal. If that is not possible then use VLANs (but I highly recommend a second switch unless you are using high end switches with all sorts of layer-2 protections)

If you want Internal to talk to the DMZ, then the virtual Firewall (vFW) could handle that for you as well, depending on what you use for that firewall. Always add a vFW to protect/segregate the DMZ. vSwitchD in this case is an internal vSwitch that does not have a pNIC connected to it, therefore it is considered private.


Edward L. Haletky
Communities Moderator, VMware vExpert,
Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition
Podcast: The Virtualization Security Podcast Resources: The Virtualization Booksh




No comments:

Post a Comment

ordinal xxxx error in ACL

If you have received the following errors when running the ACL scripts, "The ordinal xxxx could not be located in the dynamic link libr...