Table of Contents
2
VMware BEST PR AC TICES
Internet Production
LAN
IDS/IPS
VM VM VM VM VM VM VM VM VM
3
VMware BEST PRAC TICES
ogy merely enables you to consolidate servers by replacing physical network, this configuration removes many risks. For
physical servers with virtual servers that function exactly the instance, it minimizes the impact of the potential loss of separa-
same way — and need to be configured in much the same way tion of duties. This, in turn, greatly reduces the chance that an
— as their physical equivalents. You can consolidate servers in unqualified individual might be in a position to introduce a
a DMZ using virtual technology and continue to rely on your vulnerability through misconfiguration.
existing security infrastructure. In this configuration, you do not need to configure dedicated
virtual switches or use 802.1q VLANs within the virtual infra-
Three Typical Virtualized DMZ Configurations structure. You perform all networking isolation on the physical
A virtualized DMZ network can fully support and enforce a network, not within the virtual infrastructure.
wide range of configurations to separate trust zones. The three Advantages
options described in this section are typical.
• Simpler, less complex configuration
Partially Collapsed DMZ with Separate Physical Trust • Less change to physical environment
Zones • Less change to separation of duties; less change in staff
Organizations that want to keep DMZ zones physically sepa-
knowledge requirements
rated tend to choose this method, shown in Figure 3. In this
configuration, each zone uses separate ESX Server clusters. • Less chance for misconfiguration because of lower complex-
Zone isolation is achieved with physical security devices. The ity
physical network does not require any change. The only differ- Disadvantages
ence between this configuration and a purely physical DMZ is • Lower consolidation and utilization of resources
that the servers within the trust zone are virtualized.
• Higher costs because of need for more ESX hosts and addi-
This configuration limits the benefits you can achieve from tional cooling and power
virtualization because it does not maximize consolidation ratios,
• Incomplete utilization of the advantages of virtualization
but this approach is a good way to introduce virtual technology
into a network. Because it has minimal impact on an existing
VMware
VirtualCenter
server
VM VM VM VM VM VM VM VM VM
4
VMware BEST PR AC TICES
Partially Collapsed DMZ with Virtual Separation of Because the trust zones in this configuration are enforced in the
Trust Zones virtual infrastructure, you should audit virtual switches regularly
In this configuration, shown in Figure 4, you use virtual technol- for consistent policy and settings to mitigate the potential for a
ogy to enforce DMZ trust zone separation. As a result, you can virtual machine to be placed on the wrong network.
locate virtual servers with different trust levels on the same Although Figure 4 shows separate virtual switches for each
VMware® ESX host. Although physical security devices are part zone, you can accomplish the same goal by using 802.1q
of the configuration, this approach consolidates all DMZ servers VLANs. The most important factor in determining which con-
into virtual machines on one ESX host cluster. As a result, you figuration option to choose is typically the number of physical
need substantially fewer physical servers. By leveraging the full NICs present in the hardware. You should always dedicate at
functionality of the virtual infrastructure, you generate signifi- least one physical NIC to the ESX service console. If possible,
cant cost savings for your IT organization. use two physical NICs for the service console to provide redun-
Enforcement of the DMZ security zones takes place in both dancy.
virtual and physical realms. You use virtual switches to enforce Advantages
which virtual servers are connected to which DMZ zone, but
• Full utilization of resources
you use physical hardware to enforce the network security
between the zones. For this reason, virtual servers must use the • Full utilization of the advantages of virtualization
physical network and pass through physical security devices to • Lower cost
communicate between DMZ trust zones.
Disadvantages
The impact of the potential loss of separation of duties between
• More complexity
network switch administrator and server administrator — and
the associated risk that an unqualified individual will be in a • Greater chance of misconfiguration requires explicit configu-
position to introduce vulnerabilities through misconfiguration ration of separation of duties to help mitigate risk of miscon-
— is greater in this case than when you have separate physical figuration; also requires regular audits of configurations
trust zones, but the potential impact is minimized by the fact
that network security is still physically enforced.
VMware
VirtualCenter
server
VM
VM VM
VM VM
VM
VM VM VM
VMkernel
Web zone Application Database zone Service
IDS/IPS vSwitch zone vSwitch vSwitch console
5
VMware BEST PRAC TICES
Fully Collapsed DMZ paper, this is the most complex configuration. Therefore, risks
Taking full advantage of VMware technology, this approach, associated with misconfiguration are higher and you need to
shown in Figure 5, virtualizes the entire DMZ — including all take great care when planning this configuration. You should
network and security devices. Sometimes described as a “DMZ enforce separation of duties by using roles and permissions
in a box,” this configuration enables you to maximize server within VirtualCenter. You should also plan and deploy virtual
consolidation and realize significant cost reductions. networks very carefully to make sure that the isolation of those
This configuration fully leverages consolidation benefits. All networks is enforced and that any communications between
servers and security devices are virtualized in this configuration, virtual machines in separate networks are properly routed
enabling you to isolate the virtual servers and the networks through the virtual firewalls as well as any other inline security
while managing communications between the zones with devices you are using.
virtual security appliances. On the other hand, security appli- It is especially important in this configuration that you audit the
ances in this configuration can also interfere with such VMware configurations of virtual firewalls and virtual switches for consis-
Infrastructure capabilities as VMware VMotion and VMware tent policy and settings, because all of the zone enforcement is
Distributed Resource Scheduler because of limitations in performed in the virtual environment. If the policy is different on
current virtual security devices. The introduction of the VMsafe any of the virtual firewalls or virtual switches, you might see such
security-specific APIs will remove these limitations in future issues as dropped connections when a virtual machine is moved
releases of VMware Infrastructure. using VMotion.
This completely virtual infrastructure can fully enforce isolation You can use 802.1q VLANs in this configuration, but VLANs are
and security between the DMZ zones. You can locate virtual not required as they are in the partially collapsed DMZ with
servers of different security levels on the same physical ESX host virtual separation of trust zones. With a fully collapsed DMZ, you
and bring network security devices into the virtual infrastruc- need a minimum of three NICs per ESX host — one to connect
ture. to the Internet, a second to connect to the internal network,
You must consider the same potential risks you would in a and a third for the ESX service console or management network.
completely physical infrastructure, but with proper configura- VMware strongly encourages NIC teaming for redundancy, so
tion and application of best practices, you can mitigate those
risks. Compared to the two other approaches discussed in this
VM
VM VM
VM VM
VM
VM VM VM
vmkernel
Service
Console
Internet Intranet Web App Database
VSwitch VSwitch VSwitch VSwitch VSwitch
6
VMware BEST PR AC TICES
Although best practice security policies and procedures for Clearly Label Networks for each Zone within the DMZ
configuring a DMZ in a virtualized environment are not overly Clearly labeling networks for each zone within the DMZ is par-
complex, you should be aware of the critical challenges and ticularly critical because accidentally connecting virtual servers
best practice methods in order to mitigate risk. to the wrong networks can undermine all other security efforts.
At every stage, you must remember that virtual machines need By clearly labeling the networks, you make it less likely that a
the same types of protections as their physical counterparts virtual machine can be connected to an unauthorized network
— including antivirus software, host intrusion protection, con- accidentally.
figuration management, and patching in a timely manner. In
short, virtual machines need to be secured in the same manner Set Layer 2 Security Options on Virtual Switches
as physical machines. Protect against attacks such as data snooping, sniffing, and MAC
spoofing by disabling the promiscuous mode, MAC address
After you decide to either partially or completely virtualize a changes, and forged transmissions capabilities on the virtual
DMZ, your first step should be to map out which virtual servers network interfaces. These capabilities are very rarely needed
will reside on which physical ESX hosts and to establish the and create opportunities for exploitation. Fortunately, with
level of trust that is required for each system. Afterwards, you VMware Infrastructure you have full control over these options,
should follow the guidelines in this section something that is not the case in purely physical environments.
7
VMware BEST PRAC TICES
8
Revision: 20080508 Item: BP-059-INF-01-01
VMware, Inc. 3401 Hillview Ave. Palo Alto CA 94304 USA Tel 650-475-5000 Fax 650-475-5001 www.vmware.com
© 2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925,
6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022, 6,961,941, 6,961,806, 6,944,699, 7,069,413;
7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149, 843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683,
7,275,136, 7,277,998, 7,277,999, 7,278,030, 7,281,102, and 7,356,679; patents pending. VMware, the VMware “boxes” logo
and design, Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or
other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.