Q

VMware and DMZ

Virtualization expert Andrew Kutz discusses the risks of serving both Internet and intranet content on the same ESX host.

As with many IT shops, an on-going consideration is being discussed sharing a VMware ESX host with Internet and Intranet facing guests running Windows 2000 Web sites. What is the risk of having the same ESX host, serving up Internet facing content, while having other guests on the same host serving up Intranet type Web and applications services? What are the proposed methods in using VMware in a DMZ?

The risk for such a venture is proportionate to the amount of trust you place in VMware ESX's networking stack.

If you place the Internet and Intranet hosts on a separate Virtual Switch (or port group) and turn off promiscuous mode, IP spoofing, and MAC spoofing, then you will have architected the most secure networking design possible with ESX. However, if you are wary of the goings-on of how VMware has implemented all of this under the covers, then an alternative design would be to segregate ESX servers not just by access to shared storage (the typical segregation decision), but also by role (Internet, Intranet). If you would like to know more please feel free to email me. Hope this helps!

This was first published in November 2007

Dig deeper on Network virtualization

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close