VMware vSphere

 View Only

  • 1.  vSphere Clusters and DMZ networks

    Posted Apr 05, 2014 01:33 PM


    I am having some internal debates about adding DMZ virtual servers to our internal VMware clusters. My thought is to segregate these virtual servers to a separate VMware host/cluster in the DMZ instead of extending the DMZ network to our internal VMware cluster.

    Any thoughts on this? Am I being over cautious about extending our DMZ to our internal VMware cluster?

    Ed



  • 2.  RE: vSphere Clusters and DMZ networks

    Posted Apr 05, 2014 02:06 PM

    A separate cluster might include the need for extra capacity to provide HA (N+1 or even more) capacity if necessary. It would also include extra hosts that need vSphere licenses and to be monitored, patched and managed. So, it could be a valid route or option if you factor in the requirements and consequences stated above.

    From a security perspective, there is something to be said about using the same physical NICs for both trusted (normal production / internal) and untrusted (DMZ / Internet) traffic even if both are logically separated by a VLAN. From the same perspective, a security officer might opt to put the DMZ virtual machines on a different set of hosts, but in doing so, he has the consequences stated above. However, you mitigate the risk that a VM could easily be placed into the DMZ by switching its network adapter to the DMZ VM network.

    I don't know what the background is, and if you have stuff like compliance in place. That might be a big influencer on the vSphere design for the DMZ.



  • 3.  RE: vSphere Clusters and DMZ networks

    Posted Apr 05, 2014 03:24 PM

    We mix the internal and DMZ VMs on the same hosts, but use different nics/portgroups.

    When the hosts mgmt network is in the DMZ, it makes it tough sometimes to migrate/p2v.



  • 4.  RE: vSphere Clusters and DMZ networks

    Posted Apr 05, 2014 06:37 PM

    if you want to separate cluster for servers in your DMZ network and do want to mix the DMZ network with internal network then you need extra HOST, ESx licenses.

    all these stuff will need extra budget to buy new hardware and licenses.



  • 5.  RE: vSphere Clusters and DMZ networks

    Posted Apr 05, 2014 07:59 PM

    But it might be validated when the organisation has to comply to security audits, for example. So it depends on the company who is going to implement this.



  • 6.  RE: vSphere Clusters and DMZ networks

    Posted Apr 07, 2014 03:46 AM

    Personally I would not do this unless it was a high risk environment and willing to pay the consequences for extra management / overhead.

    Previously when I have added DMZ VM's to a cluster I will have a setup like the following:

    All these are for DMZ use only;

    - Physical Switch

    - At least one physical NIC in each host for DMZ use only

    - Dedicated DMZ vSwitch / VM port group on each host

    - Configure a static access port for your DMZ VLAN on the physical switch port

    Here's a screenshot of how it was setup. Isolation is key in my opinion.



  • 7.  RE: vSphere Clusters and DMZ networks

    Posted Apr 07, 2014 04:15 AM

    hi ,

    I was going through few network isolation/security choices for vSphere 5 and found this article very helpful.

    http://bradhedlund.com/2010/02/10/vswitch-illusion-dmz-virtualization/   



  • 8.  RE: vSphere Clusters and DMZ networks

    Posted Apr 07, 2014 04:24 AM

    Interesting read kashifkara, thanks for the link! :smileyhappy:



  • 9.  RE: vSphere Clusters and DMZ networks

    Posted Apr 07, 2014 04:46 AM

    Very good read! However, it summarises what I've already said. A VLAN is a logical separation of traffic where as different set of hosts (with all the overhead) is a physical separation.