Re: How to build a firewall VM for ESXi 5

pypylyly · ‎06-24-2013

Hi everybody!

Long time to see, now i have to return back the virtual project with VMWare ESXi in that i'm just newbie and i need you help.

I'm struggling not know how to create a security layer for all my production VM without any additional costs.

As follow, i have one strong server with 2 pNics

+ one pNics i used it for managerment network, this line is in security LAN zones at my office, no worried about it

+ remain pNics is connected directly to internet and i used it for many production VM that i have configured:

- I create a Internet vswitch with this pNics and put 2 webserver VM on it, each VM has a IP public, ex 203.181.91.x and 203.181.91.xx

- I create a LAN vswitch with no adapter and put 2 DB server VM on it, each VM has a private IP, ex 192.168.1.x and 192.168.1.xx

- Of course, in 2 webserver, i create additional LAN vNics to connect to DB server and they running well

But now, putting the webservers directly on Internet is not ideal, so i think i need a security layer for this and a firewall VM can be a chose.

This VM can be Linux box that i'm very familiar with IP tables, snort...but i cann't find the way to config so that this Linux box can handle all traffic from 2 IP pulibc of webserver

My ideas is building a security box that in front of 2 webserver.

So, anybody experience this situation, please guide to setup.

Thanks so much!

DavoudTeimouri · ‎06-24-2013

Hi,

ESXi has builtin firewall and don't worry about it. Most ports are closed by that.

But about your virtual machines, you should use firewall same as physical machines on them.

I recommend, try to use vShield Zone for your virtual machine, it has no cost for you if you have vCenter with valid license.

Davoud.

-------------------------------------------------------------------------------------
Davoud Teimouri - https://www.teimouri.net - Twitter: @davoud_teimouri Facebook: https://www.facebook.com/teimouri.net/

pypylyly · ‎06-24-2013

Thanks DavoudTeimouri!

But seem im not clear in my ideas!

ESXi now not need any security layer because i put the management network in a security LAN zone.

I need a firewall tool to protect 2 webserver that sit directly on the Internet, before these webserver. i google and find that thereis some firewall appliance but i want to build it using the most common tools like iptables and snort in a Linux VM, more over, i don't know how to config this appliance to capture all the traffic in/out to public line.

pypylyly · ‎06-24-2013

After Googling, i found a soluation liske this:

+ Create Linux VM that has security tool like snort, iptables

+ Add 2 vNics interface to this VM: one connect to internet vswitch for management with IP public (eth0), one connect to Portgroup VLAN ID 4095 (eth1)

In this scenario, i think snort can monitor all trafic flow through vswitch by monitor the eth1 interface but i don't know how the iptables can be handle this traffic?

pypylyly · ‎06-25-2013

Is there any hero can help me? I think there is a solution for this!

a_p_ · ‎06-25-2013

Why don't you just use a virtual firewall (e.g. pfSense) with appropriate interfaces and port forwarding configured?

With this you could have the Internet servers on an internal-only vSwitch and only the pfSense's WAN post connected to the Internet. This certainly requires to reconfigure the networking on the currently direct connected VMs.

André

pypylyly · ‎06-25-2013

Hi A.P!

Port fowarding sound like what i need but i don't know how to configure it so that all traffic flow in the internet line will be came to the firewall VM first, after filter process, legitimate traffic will be pushed to respective production VM

pypylyly · ‎06-26-2013

Please help me.....

a_p_ · ‎06-27-2013

Did you already check out the pfSense Wiki? This provides a lot of information, including setting up pfSense on ESXi (see PfSense 2 on VMware ESXi 5 - PFSenseDocs)

André

pypylyly · ‎06-27-2013

Dear A.P

I have read this guide but nothing to found for my purpose

Could U show me the necessary info?

a_p_ · ‎06-28-2013

In a sample scenario you could have three vSwitches. vSwitch0 for Management of the host on your LAN, vSwitch1 connected to the Internet and vSwitch2 (without uplinks) used for a DMZ. With these vSwitches, create a pfSense firewall with 3 virtual NICs, each one connected to another vSwitche. Make sure the "LAN" port is connected to vSwitch0 (your internal network). The web servers will only be connected to the DMZ vSwitch with private IP addresses. With this setup you can now configure firewall rules to be able to access the web servers from your internal network and also create NAT rules to forward external traffic to the web servers. E.g. 213.x.x.10 Port 80 (external) to web server 192.168.x.10, and 213.x.x.11 Port 80 (external) to web server 192.168.x.11, ...

André

pypylyly · ‎06-30-2013

Thanks AP very much!

I understanded your ideas, the topology you have recommend is more secure.

due to your solution, all my app server was sit on internal netwwork and DMZ. Only one firewall VM was directly connected to internet, this pfsense will hanlde all trafic to these app server by port fowarding and NAT rules.

a_p_ · ‎06-30-2013

Yes, that's correct. If you have any further questions or issues with setting this up, feel free to post your questions here in the forums.

André

mrlesmithjr · ‎07-01-2013

Have a look at the links below. The one with Untangle may be overkill for your use case but that can be removed.

http://everythingshouldbevirtual.com/super-router-pfsense-untangle

http://everythingshouldbevirtual.com/virtualized-internet-firewall-with-ha-and-drs

everythingshouldbevirtual.com @mrlesmithjr

All

How to build a firewall VM for ESXi 5