General discussion

  • Creator
  • #2171078

    VMware: Creating a virtual DMZ with virtual firewalls for virtual servers


    by robo_dev ·

    Over the past few years I’ve become a huge fan of VMware ESX Server.

    It just works.

    Recently I had to setup an Internet-facing server, as I’ve done many times before.

    In the ‘olden days’ this would involve building, configuring, and hardening a physical server, possibly configuring, installing and testing a second firewall (or adding firewall rules and/or interfaces to an existing firewall)….lots of work.

    With VMware server, the whole game is different. Without digging into the bytes and bits, the overall process is:

    Within VMware

    1) create a new virtual switch to define the DMZ network

    2) Install and configure the virtual server (load the OS from an ISO image, create the virtual server by assigning it virtual processors, virtual memory, virtual network interfaces, etc)

    3) create ‘real’ virtual network interfaces (a virtual interface mapped to a real Ethernet port). These are the ports that go outbound to the firewall.

    4) Define virtual network interfaces and install these on the virtual server. These interfaces exist only within the virtual LAN in the virtual DMZ on the virtual server. I admit thinking about a network that does not ‘really exist’ can take some getting used to 🙂

    5) Install and configure a firewall as a VM. I have had the best luck with Pfsense since they have a nice VMware-aware distribution. Vyatta is by far the fastest and most flexible, but pfsense seems to work well. (I tried monowall but had some interface issues so switched to pfsense)

    6) Last but not least, the firewall rules in the pfsense (virtual router) are created to only let the one port required in from the Internet, and also to restrict how hosts on the internal network can get to the server (and firewall) in the DMZ.

    7) The nice thing about having this all on VMware is that backup of these machines is a simple drag-and-drop (using Veeam Backup),

    And, for example, if something else is needed in the DMZ (e.g. a database server for the web server or an Intrusion prevention application), then it takes a minimal amount of time to install, configure, and test those servers.

All Comments