Virtualized DMZ Network

Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
I have read a few docs on putting your DMZ boxes into your Virtual Network. The other guy here is on a real rampage ie he wants to virtualize every server in the company (including our current and future web proxy and our future IDS) I said we should keep a few out (mainly the proxy and IDS boxes as well as our web servers due to some other issues I don't really want to discuss). He disagrees of course. I was wondering what you guys though of a full virtual DMZ network. Here are some key facts:

The DMZ network will reside on the same physical set of ESX servers as our production network

It will sit on a different physical nic (of course)

Anyone doing anything like this? Any concerns?

Comments

  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    Our DMZ network is partially virtualized, using the same hosts that run internal VM's. Using separate physical nics, which are connected to our physical DMZ switches.

    This isn't necessarily a best practice; however, I don't see it as much of a risk in my environment as it stands today.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • azjagazjag Member Posts: 579 ■■■■■■■□□□
    I have read a few docs on putting your DMZ boxes into your Virtual Network. The other guy here is on a real rampage ie he wants to virtualize every server in the company (including our current and future web proxy and our future IDS) I said we should keep a few out (mainly the proxy and IDS boxes as well as our web servers due to some other issues I don't really want to discuss). He disagrees of course. I was wondering what you guys though of a full virtual DMZ network. Here are some key facts:

    The DMZ network will reside on the same physical set of ESX servers as our production network

    It will sit on a different physical nic (of course)

    Anyone doing anything like this? Any concerns?

    At my previous position I virtualized all of our DMZ boxes (OWA, TS gateway and Webservers) namely because the hardware they were running on was ancient. Didn't have to much of an issue with it. The DMZ servers were members of one domain running on a host that also had an members of another domain on it.

    I would add another nic to increase redundancy and throughput. Gives you a failover just in case and can handle a spike in traffic.

    As far as virtualizing the entire domain, i would leave one domain controller on a physical box sitting off to the side. This way if something happens you can still seize the fsmo roles. As much as I like virtualization and am a proponent of it, I still can't put all my eggs in one basket.
    Currently Studying:
    VMware Certified Advanced Professional 5 – Data Center Administration (VCAP5-DCA) (Passed)
    VMware Certified Advanced Professional 5 – Data Center Design (VCAP5-DCD)
  • earweedearweed Member Posts: 5,192 ■■■■■■■■■□
    As far as virtualizing EVERYTHING it is not a good idea. There are some things which aren't recommended to be virtualized and best practices to follow.
    No longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Well I guess we can close this thread. We are going to virtualize our DMZ because the other guy doesn't think there is any risk at all. I wasn't really concerned with making a VDMZ but the servers that we were going to put in there were well, I am not going to go into that. Anywho doesn't matter what I think now.
  • SteveO86SteveO86 Member Posts: 1,423
    If you've got a Essentials+ license I think you have access to vShield it might help in lieu of VM security

    Can't say I myself recommend virtualization everything, after all I have redundant servers for a few applications I refuse to virtualize the redundant servers. (Even though I have dual switches/NICs/upload links to my network from my virtual infrastructure)


    When I setup our Blade servers to run virtualization, I did not design it to used in a DMZ only the internal network and it took a few weeks of going back and forth to keep it that way. Mainly because the blades I have can only have a max of 2 NICs I had each going to 2 separate switches already for redundancy, and I had to argue how much of a necessity the redundancy was.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • MentholMooseMentholMoose Senior Member Member Posts: 1,524 ■■■■■■■■□□
    Here is a recent article covering security in virtual environments:
    The Scary Side of Virtualization - Computerworld

    One point of the article is basically that virtualization is new, and people are scared of the unknown. I don't really like this. Although the heavy reliance on virtualization may be a relatively new phenomena (at least for many companies), virtualization itself is a mature technology. If you arm yourself with knowledge, then it will no longer be unknown.

    Anyway, besides this I think some valid points are made. One issue brought up in the article that would be important when deploying VMs in a DMZ is the status of templates used to deploy the VMs. You have to make sure the templates are free of vulnerabilities before deploying the VM into the DMZ, and they obviously need to be malware-free in the first place.

    Even if you are diligent about keeping templates patched, they probably aren't always going to be fully patched, so it would be unsafe to deploy a VM from such a template directly into a DMZ. You could, for example, deploy a VM into a locked down remediation network that only provides connectivity to update servers, patch the VM, then move it into the DMZ.

    Keeping templates malware-free will require ongoing effort, such as doing offline scans of the disk(s) in the template. You could, for example, deploy a new VM, but boot it directly to an ISO that has updated antivirus software (e.g. a BartPE disk).
    MentholMoose
    LFCE - MCITP: EDA7, VA, SA, EA - MCSA:S 2003 - CCA (PVS 5, XD 3 / 4 / 5, XS 5 / 6) - VCP 4 / 5
  • Chris:/*Chris:/* Member Posts: 658 ■■■■■■■■□□
    One very interesting piece of information I found in my GSEC course was when Eric Cole discussed how a SANS group was testing to see if they could complete a Guest Breakout. In 2009 it was successful on ESX but all it did was crash the entire Host. That being said the people who attempted the hack were some of the best in the buisness. This provides no greater risk than any other system in a DMZ other than they are multiple Guest on one Host. This was one of the reasons VMware is moving away from ESX.

    This could cause serious problems in a DMZ but as MentholMoose mentioned reducing your vulnerability footprint would reduce the likely hood of it happening.
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
  • MentholMooseMentholMoose Senior Member Member Posts: 1,524 ■■■■■■■■□□
    Chris:/* wrote: »
    This was one of the reasons VMware is moving away from ESX.
    Right. If you check the VMware security advisories, the vast majority of them are for components of the ESX service console (a RHEL derivative). ESX 4.1 is the final release of ESX, and only ESXi will continue being developed and updated. I think this is the right move even though there are a few benefits of having a general purpose OS serving as the parent partition for the host. Having only a hardened parent partition with few moving parts reduces potential vulnerabilities and likewise will reduce the number of security advisories, and should go a long way toward assuaging the concerns expressed by execs in the article I linked above.
    MentholMoose
    LFCE - MCITP: EDA7, VA, SA, EA - MCSA:S 2003 - CCA (PVS 5, XD 3 / 4 / 5, XS 5 / 6) - VCP 4 / 5
  • psneathenpsneathen Registered Users Posts: 1 ■□□□□□□□□□
    Does anyone happen to have a sample diagram of the physical comonents and logical data flow of a virtualized DMZ. I'm looking for more than the high level diagram that VMware provides. For example, I'm looking for details on switch layout, FW placement, shared storage usage, etc. Anything you can offer would be greatly appreciated. We are a small library, so we are considering virtualizing our DMZ on 2 or 3 physical host servers running ESXi standard. These would be the same physical host systems that will contain our VMs for our internal trusted network. I'm also not sure if I should/need to consider vShield, as it is very expensive.
  • azjagazjag Member Posts: 579 ■■■■■■■□□□
    I don't have a diagram like that handy. I'll look around and see what I can find. If you are going to host both internal and external on the same physical hosts then I would recommend vShield to keep things separate.

    Welcome to TechExams
    Currently Studying:
    VMware Certified Advanced Professional 5 – Data Center Administration (VCAP5-DCA) (Passed)
    VMware Certified Advanced Professional 5 – Data Center Design (VCAP5-DCD)
  • RouteThisWayRouteThisWay Member Posts: 514
    I'll see what I can help with.

    We have virtualized our entire DMZ. Our web servers share the same hosts and datastores as our internal machines. We use seperate physical NICs on the hosts that are tried to them to connect directly into our FW.

    Again, as stated above, this may not be best practices per se but it is an acceptable risk for our environment. Especially since previously they were running on ancient 2950s that were ready to explode.
    "Vision is not enough; it must be combined with venture." ~ Vaclav Havel
Sign In or Register to comment.