Physical vs Virtual DMZ

I implement the vCloud Suite of products in a multiclient environment and currently do not have a demilitarized zone.   In seeking to define what the DMZ network will look like, devrais I guess that I need one that is defined by a separation of physical networks such as the following:

(Outside of the physical <>- physical <>- DMZ-<>- Firewall firewall network <>- internal network)

Is to have a demilitarized zone in a conventional, as above, with two firewalls of both sides, always recommended?

Can I do the same thing with POSSIBLE and when is it appropriate to set my DMZ in software vs hardware?

Hello

Well the following will work using only virtual Firewall:

<->outside the physical switch <->outside Teddy <->VDS <->FW <->VDS DMZ <->FW <->Outside outside inside VDS

Physical switch <->Teddy <------------------------>VDS DMZ DMZ DMZ

Then attach a physical DMZ via the DMZ VDS and specific ports outside your chassis and a physical switch in the DMZ upstream.

Or the following if you want to combine physical and virtual firewall

Outside <->physics FW <->DMZ Phsysical Switch <->Teddy <->pvNIC <->DMZ VDS <->FW <->DMZ VDS from inside the DMZ

If you want to use a DMZ or not depends on what you're really trying to do.

Best regards
Edward L. Haletky
VMware communities user moderator, VMware vExpert 2009-2015

Author of the books ' VMWare ESX and ESXi in the business: Planning Server Virtualization Deployment, Copyright 2011 Pearson Education. ' Of VMware VSphere and Virtual Infrastructure Security: securing the virtual environment ', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Practice of virtualization, LLC - vSphere Upgrade Saga - virtualization security Table round Podcast

Tags: VMware

Similar Questions

  • Place a physical inside a DMZ VM guest

    Hello

    I did some research on the best way to introduce the DMZ connectivity to my cluster of esx for the purpose of hosting on the outside facing vm guests safely without the need for additional hardware. My esx cluster running 4.0 Update1 and consists of 4 physical and virtual hosts invited VCenter and virtual DB from SQL server.

    Currently in terms of physical network configuration, I have one of my interfaces of firewall Cisco ASA feeding a switch cisco 2960 dedicated to purposes of DMZ. The DMZ has only one range of subnet / vlan has it.

    Each of my ESX host has a total of 12 ports of physical network adapter. Of these 12, 4 are currently unused and located on a single Quad Port PCI NIC. All other network connections are assigned to the internal corporate network.

    My initial intention was to launch a connection of this adapter PCI not used in one of the ports of the physical DMZ switch I want to set it up as a Trunk Port. I would then create a VSwitch and assign it to this adapter only, and then use Vlan tagging to attach to the DMZ VLan.

    Now as far as the guest VM goes which I intend to use in the demilitarized zone, it would be that a duel hosted MS Forefront threat Management Gateway 2010 Server that would have a vNic attached to one of the vSwitches on the internal network Corp and the other attached to the above-mentioned DMZ vSwitch vNic.

    According to this configuration is there anything about this should raise concerns in security network for the other machines of comments which can reside on the same ESX host? Are there known to the host ESX and his BONES in this type of configuration vulnerabilities?

    Anyone who uses a similar setup with the success or failure that would be willing to share there experiences with her... Thanks for any info you can provide

    We are went back and forth on whether or not we should mix workloads DMZ with our internal workloads.  We ended up devoting a separate group just for the servers in the DMZ.  In my opinion the biggest wire in mixed workloads is human error.  You certainly want to want to make sure that the network is locked so that no one could accidentally assign an internal server ports DMZ GRPE.

  • Possible to have the physical and virtual units of ESA in the same group?

    Given the scarcity of available information about virtual appliances, anyone have any ideas if it is possible to run a physical C160 and a C300V running the same version of ASyncOS in the same cluster.  I need to migrate from physical to virtual and has been evalualting the possbilty of the migration to the C300V from the C160 by adding a C300V to a cluster and then decommissioning the C160.

    Someone know about this?

    Thank you

    Nathan-

    Yes.  You can, as long as the appliance and virtual appliance running the same AsyncOS.  The "clusterconfig" command will work in the same exact way.  You need to just make sure that your C300V has the featurekeys loaded in order to run the cluster.

    -Robert

  • Physical RDM virtual RDMs taken in charge in vSphere 6.0

    Anyone know if this process in KB 1006599 works in vSphere 6.0 +?

    VMware KB: Switching between physical and virtual compatibility modes in ESX/ESXi, a mapping of raw data

    We are about to move a bunch of RDM to VMDK, but we need to convert physical to virtual RDMs first (you can live storage migration [to VMDK] with virtual RDM but not medical examinations). The other part of the story is that we are running vSphere 5.5 and are about to upgrade to vSphere 6.0

    KB wrote on October 17, 2014 and I wonder if this is still the method support in vSphere 6.0 and that it has not been updated; or if it is no longer supported, in which case I have to do the migration before the upgrade?

    Thank you

    I see no reason why this will not work in vSphere 6, given that the procedure is simply to remove the physical RDM disks and add them again as RDM virtual disks... In my view, that the KB is just outdated.

  • VMWare ESXi 5.5 - VMotion &amp; HA supported MDM physical or virtual

    Hello

    Hope someone can shed some light on the survey below:

    1. can you VMWare ESXI 5.5 HA and Vmotion supported with vmdk files located in front of multiple vmfs datastore 3/5? I have problems with VMotion or HA?

    2. can you VMWare ESXI 5.5 HA and Vmotion (not storage Vmotion) support with a VM scenario below:

    3 three nodes with iSCSI SAN storage

    VM1
    -Drive C-> vmfs Datastore1
    -Drive D-> RDM (is this support on a physical or virtual compatibility mode)

    VM2

    -Drive C-> vmfs Datastore 1

    -Drive D-> vmfs Datasore 2


    IV ' e seen these link below no mention if need pyshical or virtual mode
    http://KB.VMware.com/selfservice/microsites/search.do?language=en_US & cmd = displayKC & externalId = 1005241
    https://pubs.VMware.com/vSphere-55/index.jsp?topic=%2Fcom.VMware.vSphere.storage.doc%2FGUID-D9B143D8-9F93-41D1-A32F-9FF4DE4CDF14.html

    3. can you multiple access by 5.5 ESXi host the same data store (located on a San) vmfs using the free version of ESXi 5.5?
    Can I use this in a production environment? I have seen some companies test this on a non-production environment. Technically, it works.

    Thank you
    Paul

    Welcome to the community-

    (1) as long as the DRS HA cluster hosts see data even warehouses there will be no problem

    (2) once more, also longer than the nose can see data warehouses including the LUNS as the RDM it home should be without issue.

    (3) Yes multiple instances of the free version of ESXi can access LUNS shared - Yes it can be used in a production environment, but remember you can not handle the free hypervisor with vCenter.

  • Physical to virtual (P v) Conversion of vCenter Server

    What are all the things I need to think about when convering vCenter server from one physical machine to a virtual machine?  For example:

    1 if the SQL database is on the same server, it can be corruputed?

    2. If I create P to V would be vm and let it sit for a day, while the physical vCenter server is in place, what is happening with Active Directory when I stop the physical and virtual vCenter server takes over?  The vCenter Server virtual would have a less recent synchronization with Active Directory than the physical server, I just stopped.  No problem?

    StageCoach says:

    No unjoining and join vCenter server to this domain questions all possible - such as the loss of permissions, etc that I need to be wary of?

    nothing whatsoever.  vCenter has all it's information stored in a database.  The reason for the possible reach of the field is just to update the AD and DNS object

  • Physical to virtual clustering on vmware

    Hi all

    We plan to convert one of our (AD) domain controller in Virtual box, then must make grouping with another physical box (DHCP).

    Can someone help me on this...

    First need to know

    1 can we do clustering on physical Virtaul-bix in a windows environment. ?

    2. Keeeping (ADC) box of vmware domain controller is recommended... a... ? If so can we Virtaul virtual or physical to virtual clustering.

    Note: The controller (ADC) of area intended only DHCP enabled no specified ROLE on this.

    Thanks in advance

    Concerning

    Konate

    What do P2V ADC?

    This is a wrong approach

    AD is a database structure that could not be stopped on a running system.

    So the only way to make a coherent P2V, it is use a cold conversion (but you need the Enterprise Converter) or try to do it in Restore Mode Active Directory.

    André

  • How to know the difference between RDM physical and virtual

    Hello!

    How can I see if a RDM (RAW device) is physical or virtual?

    I can see it in the vmx file or easily elsewhere?

    I have a few servers running both VMFS and RDM disks inside the virtual machine, and when you use ESX Ranger and make an instant backup, they are ignored to be backed up.

    Grateful for a response

    When you change the settings of the virtual machine and choose the RDM - there will be a radio button selected for the RDM mode, it is - it is really obvious. She'll be selected for the physical or virtual.

  • RDM (Raw Device mapping) physical or virtual?

    Hello:

    I have VM and will add a hard drive.  RDM will be, but I was wondering what "Compatibility Mode" choose "physical or virtual?

    It's my production Oracle machine and this new drive will contains about 500 GB of DATA...

    I think it would be nice to use the 'virtual' mode, to make snapshots, but I'm worrying that, for this one big disk, it will take a lot of time and a lot of space... There are other arguments that I should consider?

    Thank you very much.

    Best regards

    olegarr

    olegarr wrote:

    Surya,

    Thank you very much for your help.

    What is any other reason to use Virtual Mode, if I used instant no?

    Thank you

    olegarr

    "design of the SAN and Deployment Guide system.

    Virtual mode for a mapping specifies full virtualization of the mapped device. He

    appears to the operating system exactly the same as a virtual disk in a file

    VMFS volume. The actual physical features are hidden. Virtual mode

    customers who use raw disks of the benefits of VMFS, such as advanced files

    locking for snapshots to streamline development and data protection processes.

    Virtual mode is also more portable across storage than the physical hardware,

    with the same behavior as a virtual disk file.

    Physical mode for a device mapping gross specifies the SCSI virtualization minimum of la

    device mapped, allowing greater flexibility for SAN management software. In

    physical, VMkernel mode all SCSI commands to the device, with a

    exception: the REPORT LUNS command is virtualized, so that VMkernel can isolate the

    volume to the virtual machine owner. Otherwise, all the physical characteristics of the

    underlying hardware are exposed. Physical mode is useful for running the SAN management

    agents or other software SCSI target on the virtual machine. Mode of physics

    also virtual and physical memory allows for cost-effective high availability clustering.

  • PIX 515e, multiple VIRTUAL networks on a physical interface to DMZ

    We try to set up multiple VIRTUAL networks on a physical interface to the DMZ on a PIX 515e.

    The goal is to have logical subnets linked to our single, physical interface DMZ.

    Here's what I've tried so far without success:

    The switch

    -created the vlan 30

    -added switchports fa0/1 to 30 of vlan

    -attached host 192.168.100.1 in fa0/1

    -added switchport fa0/24 to the vlan 1 and vlan 30 with multimode

    -interface PIX DMZ connected to fa0/24 switchport

    -attached host to switchport fa0/10 172.16.1.55 (vlan 1)

    PIX:

    Auto interface ethernet2

    logical ethernet2 vlan30 interface

    nameif DMZ security50 ethernet2

    nameif vlan30 dmz2 security50

    address IP DMZ 172.16.1.254 255.255.255.0

    IP address dmz2 192.168.100.254 255.255.255.0

    Results:

    -172.16.1.55 has full connectivity to the PIX and beyond.

    -192.168.100.1 cannot ping the PIX to the 192.168.100.254 or anything else besides.

    Any help would be greatly appreciated. Also, I realize that I could buy a four port NIC and use the physical interfaces, but I can't get the approved purchase.

    Thank you

    Creation of VLANS on Ethernet1

    We want to create a new interface VLAN - VLAN30 and name DMZ2. Also affect the security level 50 in it.

    Step 1: Create a physical Interface:

    PIX (config) # interface ethernet1 vlan2 physical

    Step 2: Name the Interface and set the security level:

    PIX (config) # nameif ethernet1 inside the security100

    Step 3: Assign the IP address of the interface:

    PIX (config) # ip inside 192.168.1.1 address 255.255.255.0

    Step 4: Create the logical Interface:

    PIX (config) # interface ethernet1 vlan30 logical

    Step 5: Name of the Interface and set the security level:

    PIX (config) # nameif vlan30 DMZ2 security50

    Step 6: Assign IP address to the interface:

    IP pix (config) # DMZ2 192.168.100.254 255.255.255.0

    Step 7. Switch, set the port where from the inside, to the Isls or dot1q physical interface. Place the sheath in the native vlan2 as in step 1.

  • I am often unable to enter text with the physical or virtual keyboard, making research and impossible connections in Firefox, forcing me to use Chrome. What to do

    Use Google Nexus 9 with the latest Android. Since one of the recent os updates the keyboard sometimes fails to appear when I enter a text box on a page while using Firefox. This makes research and connections-impossible. Bluetooth virtual and physical keyboards fail to register. It is intermittent. Visit the same page in Chrome has no problem, but I want to continue with Firefox. Please let know us, if I can't fix this I'll have to give up Firefox. Shame!

    Hi Rijumati,
    I understand that there are some forms on a few Web sites that does not load a keyboard to enter data in this text field. I'm happy to help you.

    For the test, can you please give an example where that happens?
    Also this happens with the default keyboard or another has been added?

  • Physical keyboard / virtual keyboard

    Is it possible to determine whether the device has a physical keyboard or a virtual keyboard?

    You can use HardwareInfo isPhysicalKeyboardDevice...

    http://developer.BlackBerry.com/native/reference/Cascades/bb__device__hardwareinfo.html

  • vCenter 5.5 install - physical vs virtual

    We are relying on companies more edition and we have about 600 guests esxi and 5000 vms and 50 clusters. Currently we are trying to ruin vCenter 5.1 in a virtual machine (cluster-HA/DRS) with stand alone DB SQL backend running on separate virtual computer. We intend to migrate VSS to DVSs and take advantage of the other features of more editing. VM still good for vCenter 5.5, if yes, what is the resources max and other configurations, I need to consider for vCenter deployment in a virtual machine? Appreciate your help

    Thank you

    Sunny

    There is no difference in the maximum rates of configuration runs vCenter virtual or physical, at least if current running on the virtual computer, you have to play close attention to certain best practices. Have a look here: recommended: running virtual vCenter (vSphere) - yellow brick

  • Questions about vCSHB 6.5.1 (LAN or WAN and physical vs. virtual secondary server)

    Hello

    I have a few questions about vCSHB 6.5.1:

    1) there are two sets of installation guides: one for secondary physical server and a secondary server.

    What are the main differences between these two scenarios?

    (2) for vCSHB, there are two deployment options: LAN and WAN

    2 (a) which option is most common?

    2 (b) If an option (for example, LAN) works in an environment, can I assume that the other would work as well?
    And what a difference these two options?

    (3) is vCSHB backward compatible? VCSHB 6.5.1 works in an environment where an earlier version (for example vCSHB 6.4) works?

    (4) what version of vCSHB (e.g. vCSHB 6.5 or 6.4 and 6.3) is widely deployed today?

    Thank you.

    (1) there should be nominal differences - what is different is discussed the virtual network set up against the physical network implemented

    2 (a), in my experience LAN configuration is more common because it over a high availability solution oppesed to DR.

    2 (b) not necessarily, you should make sure that the appropriate ports are open

    (3) I think it is but you have to bring everything up to a compatible version as a best practice

    (4) I'd go with the latest version as it has been out for a few weeks-

  • vCenter:-change from physical to virtual

    Hello

    I have 1 Server vCenter 5.0 which is a physical machine.

    Physical machine (vCenter Configurations):

    1 HP Porliant Server

    2. Windows Server 2008 R2 STD SP1.

    3 RAM: 16 GB

    4 CPU: Interl Xeon 8 cpu.

    I want to have my server vCenter as a virtual server rather than physical.

    Can I create a new virtual machine and install vCenter 5.0 on it, and then point it to the existing database (SQL 2008 R2 - Cluster)?

    OR

    I have to create a new database as well and restore the existing DB Backup, then point vCenter for her?

    OR

    P2V using vCenter Converter my only option?

    Also anyway, I only add hosts to vCenter after its VM on as they will appear disconnected. Right? Something else is needed?

    Thanks - AG

    Yes that is correct:

    Create the system DSN proper connections on the new host to vCenter server. For more information, seedisplaying and editing of the database server to vCenter Server installation fails with ODBC and DSN errors (1003928).

Maybe you are looking for

  • Envy 15 360 t: T5K88AV orderly but laptop said Prod ID is T5K66AV-WHY?

    Why everything that concerns the order of my living room of the T5K88AV laptop, but then the laptop shows up with T5K66AV would be stamped on the bottom of the laptop.  Interestingly, something arises relating to an infrared camera. How will I know i

  • Windows XP - Dragon Naturally Speaking

    Original title: help me I have naturally speaking Dragon it it appears running in windows compatibility mode, it I recommed Natspeak.exe program compatibility mode. How can I disable the natspeak.exe Windows Program Compatibility Mode

  • help needed ASAP start problems. left me speechless.

    I have a windows xp computer HE I started to remove some waste to and remove programs I didn't need to use and when I went to restart it gets asfar as page talk to me about my processer then hold. have a boot cd and am happy todo a total system files

  • What is N360_BACKUP? It is using 129 GB of my 283 GB HD

    N360_BACKUP? Used 129 GB of my HD 283? What is c? I'm not able to view file extensions It contains: 132 156 files, but only 34 cases.  I do not run this backup.  It must be ALL about my drive hard because I had used only 130 GB GB 283. Now my hard dr

  • OptiPlex 745 Mini-Tower - GFX card options?

    Hi all I own an optiplex 745 Mini-Tower and I want to install a graphics card. I read the manual and it says that its PCI Express slot is 16 x but I could not find anywhere a response on whether it is compatible PCI-E 2.0 or 3.0. This makes the choic