1

I appreciate that to get a proper DMZ, one should have a physical separation between the DMZ servers and the LAN servers, with a firewall server in between.

But, in a network consisting of a single Blade Enclosure containing two or more Blade servers that run multiple virtual servers, whats the closest approximation to a DMZ that could be designed?

More details: Virtual servers, mostly Windows, running in a VMWare environment on the Blade servers, and physical firewall box between the Blade enclosure and the internet.

codeulike
  • 1,008
  • 5
  • 17
  • 29

3 Answers3

1

Setup the switches to run "DMZ" network traffic over a vLan, and be very careful where that vLan traffic is allowed to go.

One of my sites has 1 switch, the internet traffic is plugged directly into switch port 24 (with a big sticker explaining what port 24 is stuck to the switch). The switch is configured so port 24 is vLan 20 (untagged); port 1 get's vLan 20 (tagged), it's the main router; and no other port gets that vLan's traffic. The router only has the one network connection. Is this ideal, probably not, but there's nothing wrong or insecure with the way it's setup.

Chris S
  • 77,945
  • 11
  • 124
  • 216
1

Can your firewall handle more than an "internal" and an "external" network? If it can handle three networks, you should define them as "LAN", "DMZ" and "Internet", and then connect those interfaces to different switches (or different VLANs on a managed switch).

If your firewall can't handle the DMZ, then you'll need to set up your network in a different way (and add another firewall); anyway, you'll end up with two logically-separated network segments, the LAN and the DMZ, which can communicate only through a firewall.

You should then choose if you want to separate your VMs only at the network level, or if you actually want DMZ VMs to run on different hosts than LAN VMs.

In the first case, each ESX host should have at least three network interfaces: one for the service console (connected to your LAN), one for connecting VMs to the LAN and one for connecting VMs to the DMZ; if you want VMotion, add another interface for that, too.

In the second case, each host needs at least two intefaces: one for the service console (always connected to the LAN, you don't want that in the DMZ) and one for VM traffic. Again, if you need VMotion, you'll need another interface.

Massimo
  • 70,200
  • 57
  • 200
  • 323
0

I know HP's C-Class blades best and would have zero issue with having multiple zones in the same enclosure with the following caviats;

  • different zone NICs don't go to the same switches/interconnects
  • iLO virtual console and virtual media is disabled with it only being switched on temporarily when needed
  • blades are somehow colour coded (we use little plastic sticky tags)
  • ops staff are trained and monitored

Other than that I'm happy myself but very specifically I don't trust purely VLAN boundry based security - I know for a fact that even recent Cisco hardware/IOS can be 'VLAN-jumped' - hence my insistance on different switches.

Chopper3
  • 101,299
  • 9
  • 108
  • 239
  • 1
    From Cisco regarding vLan Jumping "To prevent this attack, never allow access to a native VLAN from any untrusted network." ; If you've got vLans, you don't mix tagged and untagged traffic, it's asking for trouble. – Chris S May 27 '10 at 17:43