Will this be any kind of security issue in terms of DMZ traffic being able to get to the LAN, or will that be impossible?

I'm assuming both nic will be to the same guest as well?

If you don't have any routing protocol setup then no, it shouldn't be an issue.

HOWEVER.... If a hacker gets his fingers in the machine then all bets are off.

If differnet guests are using the nics then you should be fine. The only thing that knows that 2 nics exist is the host. Just make sure the host is well hardened.

There will be no security issue if u configure your firewall rules properly.




Jak

Currently NIC #1 is assigned to the host, we use that as a Windows 2008 Terminal Server

I want to assign NIC #2 to the VMware guest and stick it in the DMZ. I know if the host is comprimised they would have access to all the VMware images. However, assuming they don't, then things should be safe.

I will Google later, but if anyone wants to let me know how to bind this VMware guest to the 2nd NIC that would be much appreciated.

There is a "Manage Virtual Networks" application (check your start menu on windows).

Within that, go to the Host Virtual Mapping tab, select vmnet2 and assign it the alternate pNIC that's attached to your DMZ.

On the guest, configure its vNIC to be associated with vmnet2.

BTW, I have a similar setup in our Lab, with a guest linked into our DMZ and it works great.

Hello,

It is not safe to use VMware Server within a DMZ mainly because it is impossible within VMware Server to separate the DMZ traffic from any other traffic. While you do have separate pNICs, the HOSt can see all traffic for any VM via its pNIC. That also implies that anyone within the DMZ can possibly access the Host. To do as you want it is best to use VMware ESX with its Layer 2 Switches instead of VMware Server with its bridging features. Consider the traffic flow on Vmware Server:

Internal Network <-> pNIC1 <-> Host <-> Bridge <-> vmnetX <-> VMs
DMZ Network <-> pNIC2 <-> Host <-> Bridge <-> vmnetY <-> DMZ VMs

Note that the bridge can support NAT as well. But as you can see the Host is still involved and the Host firewall will affect both pNICs independent of the VMs. In this case the Host should NOT be involved.

Its involvement is the additional risk when running VMware Server within the DMZ. If you must do this then harden the host fully and setup firewall rules to route traffic appropriately, etc. independent of the VMs. Just assume the host will be attacked as it will if people find out its a virtualization server and VMware Server specifically. Effectively your host is also within the DMZ with VMware Server.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

the HOSt can see all traffic for any VM via its pNIC.

Yes and no. The DMZ pNIC can be stripped of all protocols so there is no communication available to the host. You should never configure a host IP, etc on that NIC, agreed. But I don't see any more issue with a Windows based host vs an ESX based host in this configuration, other than most people inherently distrust Windows servers more.

Hello,

ESX uses a Layer-2 switch and its pNICS can be 100 percent separate from each other. I.e. if I place a Service Console port on one vSwitch and the DMZ on another vSwitch and these use pNICs plugged into different pSwitches. Then there is no communication possible betweeen the DMZ and the host.

VMware Server on the other hand does not have this capability as everything depends on the security of the host. It may be possible to lock down the VMware Server host sufficiently but any new patches, etc to fix exploits etc would require locking down the host once again. This solution is just not inherently secure or isolated and requires quite a bit more work to secure and monitor.

With ESX everything depends on how well you isolate the DMZ using vSwitches and pSwitches.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

So is there any security benefit to running this Linux guest in the DMZ on the second physical NIC or should I just stick it in the LAN with the rest of the servers. I don't want to waste the DMZ or make more work for myself if there is no additional security by doing so.

Hello,

ESXi was just announced as being really cheap (i.e. Free) and that is a better solution than VMware Server. If ESXi is available, I would use this over Server and gain the segmentation you desire.

Some see the benefit of using VMware Server within a DMZ. I think it is a risk. How much of a risk depends on how comfortable you are with the hardening of the host of VMware Server.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization