Get started Bring yourself up to speed with our introductory content.

VMware and DMZ

Virtualization expert Andrew Kutz discusses the risks of serving both Internet and intranet content on the same ESX host.

As with many IT shops, an on-going consideration is being discussed sharing a VMware ESX host with Internet and Intranet facing guests running Windows 2000 Web sites. What is the risk of having the same ESX host, serving up Internet facing content, while having other guests on the same host serving up Intranet type Web and applications services? What are the proposed methods in using VMware in a DMZ?

The risk for such a venture is proportionate to the amount of trust you place in VMware ESX's networking stack. If you place the Internet and Intranet hosts on a separate Virtual Switch (or port group) and turn off promiscuous mode, IP spoofing, and MAC spoofing, then you will have architected the most secure networking design possible with ESX. However, if you are wary of the goings-on of how VMware has implemented all of this under the covers, then an alternative design would be to segregate ESX servers not just by access to shared storage (the typical segregation decision), but also by role (Internet, Intranet). If you would like to know more please feel free to email me. Hope this helps!

Dig Deeper on Network virtualization

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.