We are moving to a new office, and part is to review our current LAN/WAN and server access to/from the web.
I understand how the DMZ works, but can't figure out if I need a physical server/host to be placed between my 2 firewalls, or I can do with subnetting/vNic the DMZ and the servers/virtual servers with vNic.
Today we have a single router and single firewall. Which behind it are all our servers, application servers, DC, VM hosts etc.
I have 2 applications today (on virtual servers), that are accessible from the web (firewall hole punches). Both do NOT use AD credentials, and are working with local DB users (remove the need for AD credentials).
- Both are virtual servers in (currently) 1 of 3 VM Hosts.
- I want to move these 2 applications into the DMZ.
- That will require at least an IIS as well.
Placing a physical VM Host server that has 2 NIC's seems bit weird (that host will hold as many servers/applications servers that I need)
- it's a single point of fail
- and doesn't feel right (even though it can/should work)
and on the other hand, I can create a vNic in one of my hosts, and mapping it's IP to both Firwalls.
router > wan_firewall_dmz > vNic to server > dmz_firewall_lan
> gives me less feeling of the security that the prior option does, and for some reason, I have a feeling I "miss" the DMZ idea.
Is that correct?
What is it that I am missing?
Answer
Do I need to place a physical server/host within the DMZ to host servers/applications?
"Maybe" -- it depends on your level of paranoia / trust in virtualization.
If you're implementing a new DMZ the usual way to go about it would be to carve out a separate vLAN and put the DMZ subnet in it, creating effectively a virtual switch for your DMZ.
If you trust your virtualization software to not screw up vLANs you can create a virtual switch on your VM Hypervisor, drop it into the DMZ vLAN, and connect the hosts you want to isolate to that virtual switch.
You can assign the virtual switches to individual physical NICs (sending untagged traffic with the switch ports dropped into the appropriate vLAN), or with most VM systems you can connect the hypervisor to a "trunk port" on your switch and send all the vLAN traffic to your switch tagged and let the switch sort it out.
Single points of failure would be eliminated in the usual way (link aggregation, virtual machine failover appropriate to your hypervisor, etc.), and your overall maintenance burden shouldn't increase at all -- setting up the vLANs is a one-time thing.
No comments:
Post a Comment