vCloud

 View Only

  • 1.  DMZ best practice and recomendations

    Posted Aug 31, 2010 12:53 AM

    Hi, I need your help with one issue.

    I need to configure a DMZ in my virtual enviroment and I have a doubt.

    First, I have a vShpere cluster with two servers, one of them have 2 NICs and the other with 4 NICs.

    The first have two virtual switches, one is for the VMs (LAN) and the other is for the Service Console and vMotion. The NICs are in teaming.

    The same with the second host but each switch has two NICs teamed.

    My question is, can I add a third virtual switch in each host and mapping it to the NIC that I am already using for the VMs (LAN) and separate the trafic in VLANs? is that secure? or what do you recomend me to do?

    I have already a phisical firewall configured for the DMZ.



  • 2.  RE: DMZ best practice and recomendations

    Posted Aug 31, 2010 09:57 AM

    Hi,

    As a best practice, DMZ and private networks are usually physically separated. It is safer to have dedicated network cards for public servers. You can have a look at this technical paper for more information.

    On your server with two NICs, do you have two vSwitches or only one with two port groups?

    Regards

    Franck



  • 3.  RE: DMZ best practice and recomendations

    Posted Aug 31, 2010 04:20 PM

    Hi Franck.

    I have one virtual switch in that server.

    So, do you recomend me to use one Phisical NIC for the DMZ, and the other for the LAN (including the service console and vMotion) in the server with two NIC cards and two NICs for DMZ and the other two for LAN (including Service Console and vMotion) in the server with four NIC cards?



  • 4.  RE: DMZ best practice and recomendations

    Posted Aug 31, 2010 05:35 PM

    It's better to have a redundant connection to the network. But it is also important to isolate your vMotion network if you want your migration not to take too much time. So your second server with four cards will be OK with a first pair for admin + LAN + vMotion and a second one for DMZ (for example).

    On the first one with two cards, it won't be easy. Either you trunk your ports and use VLANs or you buy additional cards. Otherwise, it won't be possible to respect best practices. But it's only recommendations.

    Your design will deeply depend on your budget and your constraints. You also have to take into account your physical network organisation, VM network bandwidth usage, scalability... If for example you have only a single physical switch, it is not useful to have too many redundant connections to that device as it is a single point of failure...

    The network design is not an easy exercise.

    Good luck.

    Franck



  • 5.  RE: DMZ best practice and recomendations

    Posted Sep 01, 2010 01:17 AM

    While you can use vlans, there are times when the switch can fail and networks can "bleed" data together. I've had it happen before. The most secure way to do DMZ is to have physical NIC's separated for DMZ that have cables directly running to your DMZ switch. Physical separation there is no second guessing if your DMZ traffic is separated from your internal network.

    -- Kyle

    "RParker wrote: I guess I was wrong, everything CAN be virtualized "