If I want to isolate one set of VM guests from another set of VM guests within the same ESX host, can this be due by using only using a single pNIC? And running a virtual firewall between 2 or more virtual switch? IF so, what is the best (in term of ease to config) virtual firewall out there I can use?

Hello,

If you are using the following setup:

PIX <-> vSwitch <-> vFW <-vSwitchB&C->VMs

then you can use any number of existing appliances. m0nowall, smoothwall, any Linux host, any Windows system with ICS, etc. I personally use Smoothwall and setup Purple (wireless, but could be used for another green interface), Green (your internal network), and Orange (your DMZ). I also use multiple vSwitches, etc.

Smoothwall 3 Polar has a very nice appliance, but you are really better off installing from iso as the appliance is for workstation with IDE drives, etc.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

If you want a firewall in VM that has multiple Nic(more than 2), and most mature in term of management and feature set, would you recommend smoothwall or monowall (Both seem to be very popular for the vmware community)

dwc

Why not just use VLANs to partition your vSwitch and continue to let your PIX perform the firewall operations?

Hello,

What hicksj states is also possible. Depends on if you 'trust' VLANs or not. Remember VLANs do not guarantee security. The do isolate traffic but VLAN jumping techniques do exist in the physical world that would not work in the virtual world. That aside, having multiple firewalls is not a huge issue and often recommended but that depends on the classification of the networks, etc.

The main thing is to be diligent about how your physical and virtual networks are laid out, where are the crossings? Only at firewalls? Is this a temporary or physical measure? etc.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Depends on if you 'trust' VLANs or not. Remember VLANs do not guarantee security. The do isolate traffic

In this situation, it sounds like the OP is attempting to isolate his "lab" network, and within that lab network further separate the traffic. If that's true, then VLANs should be more than sufficient and we can leverage the technology that's already in place, rather than introduce a new firewall product...

One could argue about levels of trust in the firewall, one where you've had experience vs. something new that you probably don't want to invest a ton of time learning. In that case, I would trust VLANs over some adhoc firewall.

Regards,

J

Hello,

That debate always exists.... However, it could be that the OP has no control over the PIX so has to implement something within the virtual environment.... I know quite a few organizations where the security team will not change firewall rules unless they have permission from the CTO, etc.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

hicksj, you got its. I want 2 lab enviornment inside my VM. Both are already firewall off at the other end of my physical nic. But we want further isolation between the 2 lab environment (one is windows 2003 and the other one is windows 2008). Only think that will be allow from the production into the 2 lab environment is RDP (remote desktop), but we want to control further what is allow between lab 2 and lab 1 (i.e. ldap, smb,netbios, etc) I am not sure if VLAN can set up base on protocol, other than i can control server traffic flow

dwc

@texiwill - good point. if there is no control or influence at the firewall, then another solution is needed. (although, if you're security policy is to provide such separation, and you're not the firewall admin, those who are should be accomodating your needs - not making you go off and create your own firewall. - they may balk at that too!)

@dwchan - vlan's are not protocol based, but PIX can differentiate between VLANs. So you'll have two subnets, both of which use the PIX as their default gateway. PIX allows your extended set of protocols to flow between those two lab subnets, while restricting production network to rdp only.

Hello,

@hicksj - This is why I always push for the security team and virtualization team to work together, often it is just antagonistic.... Then we get the Unknown-Unkowns that I discuss in one of my CIO Blogs.

You could use the PIX to do this, VLANs tag the traffic they do not differentiate the traffic by protocol. But look at a VLAN as there being multiple strands to your copper and you can take a strand and set it up so that you need a gateway/router/firewall to cross the strands. In this case the PIX. If you rather not use VLANs then a purely virtual solution is always available. I personally like the purely virtual configs for testing as I can have for example 2 vSwitches disconnected from any pNIC and have a vFW between them. This will let me test my firewall rules before implementing them as well as provide a 100% private playground. Even with a pNIC connected to the first vSwitch, the virtual firewalls can allow me to play safely without modifying the hardware, which may not be allowed, etc.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization