Firewall as a guest VM?

Question

Out of curiosity, would it be pointless/wasteful/silly to put a firewall as a VM guest (regardless of VM host - ESX, Xen, Hyper-V, etc. etc.) and redirect all traffic from other VM guests through the firewall VM guest?

I'm not sure if other people/organizations practice this or not. I know resources might be constrained (CPU, RAM, Disk/Net I/O) pending whatever traffic may pass, but are there any other scenarios or situations where placing a firewall as a guest VM and having the other guest VMs route to it rather is better or comparable to an external box from the host VM?

In terms of performance, I realize that being a guest VM resource usage will affect other guests but aside from that, am I missing anything? Security, best practices, common sense?

Any thoughts, comments or criticisms are welcome.

score 5 · Accepted Answer · answered Feb 02 '10 at 22:41

5

This is a very common configuration often called "DMZ in a box". Here's a VMware whitepaper that discusses the various levels of collapsing DMZs using virtual infrastructure.

VMware's vSphere builds on some of these ideas and extends them with a product called vShield Zones

answered Feb 02 '10 at 22:41

Helvick

20,019
4
38
55

I wasn't aware that this was a feature within vSphere. Very cool! Thanks for the links. – osij2is Feb 02 '10 at 22:44
4

Worth additional emphasis: For this to provide *ANY* security your VM traffic net and your VMWare Management net need to be physically separate. – voretaq7 Feb 02 '10 at 22:51
@voretaq7 - absolutely. – Helvick Feb 02 '10 at 23:02

Firewall as a guest VM?

1 Answers1