Hi,
I'm esxi newbie. What I'm trying to achieve on my esxi server is simple firewall/gw between internet (vmnic1), LAN (vmnix0) and DMZ. I have only physical 2 nics in my server, therefore DMZ should be "Fully Collapsed DMZ". I planning to have 1 web (www,ftp) server in DMZ, 2 servers in LAN and smoothwall acting as firewall.
After reading some pdf's and some forum threads I came up with attached "Networking" design.
Could you experts please check the design and advise me how secure is it and where are potential pitfalls?
You need COS to manage your esxi server.
The following wll work:
One Esx3i Server with two physical network interfaces (pNic)
pNic0 connected to the internet
pNic1 connected to your LAN
3 vSwitches configured, one for each pNics and one internal vSwitch (DMZ)
Guest "Smoothwall" configured with 3 Nics, one for Internet, one for Lan and one for DMZ.
Guests in the DMZ must be created with vNic in the DMZ vSwitch.
Smoothwall handles the firewall and forwards the correct port-number etc. to the ip-address in the DMZ-zone.
Kind Regards
Torben Jungsberg
Hello,
Check out my new Topology Blogs that cover DMZ for information on this. With just 2 pNICs this is not recommended but possible.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links
Hi,
I have to agree with Texwil.
If I was you I would see if I couldn't find a 100/1000 Mbit network card somewere.
If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points.
Regards
A. Mikkelsen
Ok, it is not a problem for me to add 3rd nic, I have some spare pci slots. But I am a little bit confused now.
1. So 3rd nic should be present just because of better security? My web server in DMZ is virtual machine, so I don't need any hw wires in DMZ, therefore I will not use wire on 3rd nic?
2. I notice that you are suggesting just one virtual switch
vSwitch0
? Is this advantage over multiple virtual switches like in my picture?
What Texwil means is, use
- pNIC0 for COS, storage (NFS / iSCSI) and VMotion
- pNIC1 for LAN
- pNIC2 for WLAN
Regards
A. Mikkelsen
But if I don't need COS, storage (NFS / iSCSI) and VMotion?
You need COS to manage your esxi server.
The following wll work:
One Esx3i Server with two physical network interfaces (pNic)
pNic0 connected to the internet
pNic1 connected to your LAN
3 vSwitches configured, one for each pNics and one internal vSwitch (DMZ)
Guest "Smoothwall" configured with 3 Nics, one for Internet, one for Lan and one for DMZ.
Guests in the DMZ must be created with vNic in the DMZ vSwitch.
Smoothwall handles the firewall and forwards the correct port-number etc. to the ip-address in the DMZ-zone.
Kind Regards
Torben Jungsberg
Thanks Torben, I was hoping for that kind of answer
That is exactly what I have in my design (attached image), but I was not sure about security issues...
Best regards
Bruma
Hello,
You need a pNIC just for management. The Management appliance. This one CAN NOT be connected to the internet. The solution presented to you, is actually fairly insecure.... You have 3 distinct networks.
Management
VM
DMZ
If your DMZ does not extend outside the virtualization host then only 2 pNICs are needed.... and you are at the Topology Blog about a system with 2 pNICs. The DMZ would be a private vSwitch within the environment. So you may wish to do something like:
pNIC0 -- Internal for Management only, vSwitch0
pNIC1 -- External. vSwitch1
pNIC1 <-> vFW <-> DMZ vSwitch <-> DMZ VMs <-> Internal <-> Internal VMs
Never place your Internal Management network on the internet.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links
Ok thanks. My Management network on internal LAN, separete form DMZ and external with firewall (smoothwall).