0

I'm currently running VMWare ESX 4 with several virtual machines. One of these VMs needs to be PCI-DSS compliant, and more may need compliance in the future. In other words, I don't want to allow any LAN-LAN traffic. I currently have a SonicWall TZ100 as the firewall for the box. It seems there is a way to block traffic between VMs on the LAN with the PortShield feature, but I have so far failed to get this configured.

So, either of these approaches will work fine for me:

A. setup security for each VM that needs compliance, so that it denies traffic from anywhere else in the LAN.

B. simply block all intra-LAN traffic (I tried to do this with a simple LAN-LAN access rule but it didn't block anything).

matt
  • 101
  • 1
  • Firewalls manage/secure traffic that flows through them. If the LAN to LAN traffic doesn't flow through the firewall then it can't manage/secure it. Is the ESX host connected to one of the firewall interfaces, with your LAN switch connected to another interface? – joeqwerty Feb 09 '11 at 21:20
  • Yes, you're right. I believe I'm going to need to create a VLAN in ESX for each VM that needs to be isolated. – matt Feb 09 '11 at 23:11
  • Your Sonicwall has the capability to filter traffic from port to port in the same zone, by default it does permit this, but it is not necessary to define a new zone. – SpacemanSpiff Mar 27 '12 at 02:32

1 Answers1

1

In order to isolate the LANs you must first start at the TZ100. on the selected LAN interface create a new zone, this will seperate the Zones. Once you create your new zone, you'll need to create Access Rule from NEW ZONE->WAN and WAN->NEW ZONE or you wont be able to access the internet. Then continue to your switch and create your Vlan for complete isolation.

GIO
  • 11
  • 1