For security and best practice, I always have my LUNs seperated with DMZ/PROD environment so they do not mix each other and secure it as much as possible. We have seperate DMZ host clusters pointing to just DMZ LUNs so that no one can accidently remove/move the disks around. We also strip down permission to the least privilege user as much as possible but mixing DMZ/PROD VMs with the same LUN should work just fine too. Those VMs are encapsulated and have locking mechanism so no cross readings at all if you secure it. You do not need to invest a different SAN just for DMZ clusters, but have your SAN guides curve out DMZLUN and zone/mask it appropriately.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

VMware vExpert 2009

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

Hello,

Moved to the Security forum.

So I have been trying to fnd answers or thoughts on the issue of using 1 SAN for both my internal VM's and my VM's that reside inside my DMZ.

Very common.

Currently we have 2 SAN's 1 in each network segment but we are being re-orginized and one of the SAN's needs to move.

By network segment I assume we are talking about how the SAN is accessed or are we talking about the network ownership of the data?

The result is that my VM's that run on the inside LAN now have no home. I can split my DMZ and LAN up within my SAN but is that a good idea?

If the SAN is FC then where the data resides is mainly an issue of your own security policies. However, I normally place my DMZ and Prod VMs on different LUNs as they often have different IO footprints. If Your DMZ is attacked it could raise the IO requirements for the DMZ and I would NOT want that to impact my production.

If you are talking about an iSCSI SAN then you also have to worry about the iSCSI network. Specifically you should treat it just like fibre but you may want links just for the DMZ as well as the Prod.

Ideally your DMZ VMs would reside on one cluster of Virtualization Hosts and Prod VMs on another cluster of Virtualization Hosts and you follow all the good guidelines for DMZ.

I am trying to convince them to just purchase a new SAN because everyone has that kind of money laying around... right. I am also trying to find any reason to not mess with my production environment if I dont have to.

You should not need to mess with your prod environment. By adding a DMZ you are adding networking and maybe more LUNs. However, how much data can comingle will ultimately depend on your security policies and how you address each Risk.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

Sorry for the delay in marking this answered. Thanks so much for your help.