Solved: Firewall Between ESX-vCenter vLAN & Production vLA...

habibalby · ‎12-28-2008

Hello,

Scenario:

2 ESX Hosts with 6 pNIC's. 2 for S.C & VMotion vLAN, 2 for DMZ vLAN & 2 for Production vLAN.

There are 2 pSwitches in Cluster Stack-Mode, having 4 vLANs.

vLAN1 Production
vLAN2 DMZ
vLAN3 Service Console
vLAN4 VMotion

Connectivity is fine without any issue. All vLANs working fine. Service Console and VMotion they fall-back each other if pSwitch Failure or pNIC failure.

Requirements:

Service Console is connected in vLAN3 which is 172.16.20.0/24 Network, under vSwitch0 contains 2pNICs & 3 PortGroups. Service Console PortGroup, VMotion PortGroup & vCenter PortGroup. vCenter PortGroup I use it to place the VirtualCenter VM & I will place the VM Firewall.

Currently, the Virtual Center is under vCenter PortGroup, which is 172.16.20.55. Communication to ESX all fine.

How I'm connecting to VirtualCenter & ESX Hosts while I'm setting in the Production vLAN? I have added a Static-Route in my P.C 172.16.20.0 to go via 128.104.145.149 "This is the pSwitch IP Address" I'm connecting fine without any issue. Offcourse that doesn't protect the ESX farm nor the Virtual Center.

I want to secure the connection between the Production vLAN & Service Console, VMotion vLAN & get rid of the Static-Route in the Admin's Computers.

Work around Options:

Physical MS ISA Server with 2 pNICs one to be connected in the vCenter PortGroup & one to be connected in the Production vLAN & Open the require ports.
Physical Firewall with 2 pNIC's one to be connected in the vCenter PortGroup & one to be connected in the Production vLAN & Open the require ports.
Virtual Firewall "SmoothWall or ISA Server" with 2 pNIC's one to be connected in the vCenter PortGroup & one to be connected in the Production vLAN & Open the require ports.

Please have a look at the attached diagram & advice.

Best Regards,

Hussain Al Sayed

Best Regards, Hussain Al Sayed Consider awarding points for "correct" or "helpful".

Texiwill · ‎01-02-2009

Hello,

On your diagram I would change your colors. Orange traditionally implies a DMZ not green, but it is up to you. I use Smoothwall to get exactly the same behavior.

Network <-> pNIC1 <-> vSwitch1 <-> vFW (smoothwall) <-> DMZ Network
....................................................<-> Green Network

So your front firewall controls access to everything. You could use 'two' firewalls as well if you want and just have a set of Red<->Green Networks. On the first one, the Red Network is the outside, Green is the DMZ, in the second the red is the DMZ and the ESX hosts are the Green.

To grant access to your ESX hosts from a system outside the firewall you will need to allow and redirect port 443 to the proper location. Actually I would not do this, you should create a VM or physical box that is inside the firewall, use the Zerina OpenVPN Smoothwall addon and VPN into the internal location or create a pinhole that allows RDP access to that host/VM and then use the VIC from within the 'Green Network'. You have to put pin holes in your firewall to grant the access you require, hence a VPN works much better. You want to limit the number of pin holes you use.

What you describe doing is quite doable but without the pin holes and proper routing through the firewall not possible.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

admin · ‎12-28-2008

My suggestion is to download the vmworld 08 security lab (lab 5). This gives step by step instructions on exactly what you are requesting.

CS

habibalby · ‎12-29-2008

VMWorld Labs & Sessions are not for free for normal users like me. Either I have to attend VMWorld or I have to purchase a subscriptions. After that, I will be getting a username and Password to view and download sessions & labs.

Best Regards,

Hussain Al Sayed

Best Regards, Hussain Al Sayed Consider awarding points for "correct" or "helpful".

Texiwill · ‎12-29-2008

Hello,

I would go with option 3... I.e.

Production Portgroup/vSwitch <-> vFW vApp <-> vCenter Portgroup <-> vCenter VM, etc.

This gives the best protection. THere are a number of vFW apps available but I personally use Smoothwall with no issues. In Smoothwall Lingo you would make your 'Production Network the Red Network' and your vCenter/Service Console portgroup your Green Network. If you do this using private vSwitches refer to http://www.itworld.com/virtualization/54596/allowing-vmware-esx-private-virtual-networks-migrate to enable VMotion to work with them.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

habibalby · ‎12-29-2008

Hello Edward,

Hello,
I would go with option 3... I.e.
Production Portgroup/vSwitch <-> vFW vApp <-> vCenter Portgroup <-> vCenter VM, etc.

If you do this using private vSwitches refer to to enable VMotion to work with them.
http://www.itworld.com/virtualization/54596/allowing-vmware-esx-private-virtual-networks-migrate

I'm not using a private vSwitches to do this. Both vSwitches has got an outbound adapters. Will configure it and will post the result.

Best Regards,

Hussain Al Sayed

Best Regards, Hussain Al Sayed Consider awarding points for "correct" or "helpful".

habibalby · ‎12-31-2008

Tired of getting to work:) With SmoothWall nor with other Firewall.

Just to make things more clear;

ISA Firewall with two Interfaces

External 192.168.1.50/24
Internal 128.104.30.12/16 "Where the Vi-Clients resides

Clustered Nortel Switches with the above mentioned vLANs

IP: 128.104.145.149
In the pSwitch the 128.104.30.12 has been defined as a Network Default Gatway.
All the clients having 128.104.30.12 Gateway to access the internet.

ESX Resides on vLAN 172.16.20.0 along with vCenter

ESX has got 6 pNIC's

2 vSwitch0 "VMKernel & Service Console & vCenter" PortGroups
2 vSwitch1 "Production"
2 vSwitch2 "DMZ"

VirtualCenter is connected on vCenter PortGroup IP: 172.16.20.55/24 D.G:172.16.20.1

Without Firewall, reaching to the vCenter from 128.104.0.0 Network by defining a Static Route

Route add 172.16.20.0 mask 255.255.255.0 128.104.145.149 "pSwitch IP Address"

Reaching to the vCenter is fine without issue.

Security Enhancement:

Configured SmoothWall with 2 vNICs;

Internal "Green" 172.16.20.100/24 No Defult Gateway.
External "Red" 128.104.30.1/16 Defualt Gateway 128.104.30.12/16
Ping by default is allowed in the SmoothWall Firewall, Pinging both Nics is fine.* Removed the Static Route from the Vi-Client;

I cannot reach to 172.16.20.1 Network nor to 128.104.30.1
Added the 128.104.145.149 as a Defualt Gateway in the Vi-Client, I can reach to the 172.16.20.0 Network:)
Removed the 128.104.145.149 D.Gateway and Re-added the static route once again, I can reach to the 172.16.20.0 Network.

Tried the same with MS ISA Firewall, without any success.

Any Help?

Best Regards,

Hussain Al Sayed

Best Regards, Hussain Al Sayed Consider awarding points for "correct" or "helpful".

habibalby · ‎12-31-2008

Further troubelshooting I have did, in addition the attached diagram which make things more clear:

Created a DMZ Network in the Back-end ISA Server Firewall which is the 128.104.0.0 ~ 128.104.255.255.
Created a Route Relationship between defualt Internal Network behind the Back-end ISA Server and the DMZ Network "128.104.0.0 ~ 128.104.255.255."
For testing purposes, I have created a Computer-Set for the ESX
Servers & DMZ Clients & Created Access Rule All Outbound
Protocols from Defualt Internal Network behind the Back-end ISA Server Firewall
to DMZ Network. And Added both elements in this Rule as a Source &
Distenation
In the DMZ Clients. I Remove the 172.16.20.0 mask 255.255.255.0 128.104.145.149 Static Route & Added 172.16.20.0 mask 255.255.255.0 128.104.30.30 "External Interface of the Back-end ISA Server".
Configured the Front-end ISA Server with the address of the Defualt Internal
Network behind the Back-end ISA Server "172.16.20.0 172.16.20.255".
Configured a Static Route entry in the Front-end ISA Server 172.16.20.0 mask 255.255.255.0 128.104.30.30

DMZ Client configured with:

IP Address: 128.104.100.30

S.M: 16 bit

D.G: 128.104.30.12 "Front-end ISA Server Internal Nic"

As soon as I remove the Static Route 172.16.20.0 mask 255.255.255.0

128.104.145.49 from the DMZ Clients, I lost the connectivity to the

172.16.20.0 Network.

Any Help?

Best Regards,

Hussain Al Sayed

Best Regards, Hussain Al Sayed Consider awarding points for "correct" or "helpful".

Texiwill · ‎01-02-2009

Hello,

On your diagram I would change your colors. Orange traditionally implies a DMZ not green, but it is up to you. I use Smoothwall to get exactly the same behavior.

Network <-> pNIC1 <-> vSwitch1 <-> vFW (smoothwall) <-> DMZ Network
....................................................<-> Green Network

So your front firewall controls access to everything. You could use 'two' firewalls as well if you want and just have a set of Red<->Green Networks. On the first one, the Red Network is the outside, Green is the DMZ, in the second the red is the DMZ and the ESX hosts are the Green.

To grant access to your ESX hosts from a system outside the firewall you will need to allow and redirect port 443 to the proper location. Actually I would not do this, you should create a VM or physical box that is inside the firewall, use the Zerina OpenVPN Smoothwall addon and VPN into the internal location or create a pinhole that allows RDP access to that host/VM and then use the VIC from within the 'Green Network'. You have to put pin holes in your firewall to grant the access you require, hence a VPN works much better. You want to limit the number of pin holes you use.

What you describe doing is quite doable but without the pin holes and proper routing through the firewall not possible.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

habibalby · ‎01-04-2009

Thank you very much Edward, the problem has been solved. All the communication from Vi-Clients -> ESX & vCenter are going through restrcted ports.

Best Regards,

Hussain Al Sayed

Best Regards, Hussain Al Sayed Consider awarding points for "correct" or "helpful".

All

Firewall Between ESX-vCenter vLAN & Production vLAN