Secure DMZ VM deployment using separate vSwitch

Printable View

3rd March 2010, 01:48 AM
albertwt

1 Attachment(s)

Secure DMZ VM deployment using separate vSwitch

Hi All,

I've setup my curent ESXi host with 2 pNIC for secure deployment of production VM like the attached screenshot:

The reason is to make it easier to backup through the management network (Gigabit Ethernet connected to my LAN switch) while the actual VM is connected into DMZ-Network separate vSwitch and then the uplink is connected directly to the router for access to the world.

I wonder if this is the typical secure deployment that everyone else is using ?
Any kind of comments would be greatly appreciated.

Thanks.
3rd March 2010, 07:22 AM
bio

Well we are going to implement this as well. But in the security world this is not considered secure because you are connecting the outside world directly into your virtual environment. Buw we are a NON profit corporation so there is nothing to gain from our internal network. So we just take the risk :)

bio..
3rd March 2010, 08:23 AM
powdarrmonkey

Quote:

Originally Posted by bio

Buw we are a NON profit corporation so there is nothing to gain from our internal network. So we just take the risk :)

Nothing to gain?

http://www.evilkid.com/katamari/4/orly.jpg
3rd March 2010, 12:14 PM
albertwt

Quote:

Originally Posted by bio

Well we are going to implement this as well. But in the security world this is not considered secure because you are connecting the outside world directly into your virtual environment. Buw we are a NON profit corporation so there is nothing to gain from our internal network. So we just take the risk :)

bio..

yeah that does make sense mate !
thanks.
4th March 2010, 07:30 AM
bio

Quote:

Originally Posted by powdarrmonkey

Nothing to gain?

http://www.evilkid.com/katamari/4/orly.jpg

Well the student grades are hosted on a seperatebox outside our network. So i don't think a real good hacker takes the time and effort to get into our network.

bio..
4th March 2010, 08:17 AM
powdarrmonkey

Quote:

Originally Posted by bio

Well the student grades are hosted on a seperatebox outside our network. So i don't think a real good hacker takes the time and effort to get into our network.

bio..

I don't care much for student grades, I'm more interested in what else you carelessly leave lying around... pay details perhaps? details of staff I can use to strengthen my impersonation of them?
4th March 2010, 09:22 AM
pete

Quote:

Originally Posted by powdarrmonkey

I don't care much for student grades, I'm more interested in what else you carelessly leave lying around... pay details perhaps? details of staff I can use to strengthen my impersonation of them?

Ok, but I've got dibs on their bandwidth for my drones.

OP: Read this to get started - http://www.vmware.com/files/pdf/dmz_...e_infra_wp.pdf

Done properly, there's no reason you can't have a virtual dmz.
11th March 2010, 06:42 AM
albertwt

Quote:

Originally Posted by pete

Ok, but I've got dibs on their bandwidth for my drones.

OP: Read this to get started - http://www.vmware.com/files/pdf/dmz_...e_infra_wp.pdf

Done properly, there's no reason you can't have a virtual dmz.

thank you for the response sir, I really appreciate it.

Cheers.

AWT