• Creator
  • #2137799



    by samitoronto ·

    I have an ESXI 5 server running multiple server. The ESXI server is behind the firewall. It has 2 network cards. Is there a safe way to run an external FTP server as a virtual server inside that ESXI server. The objective is to have the FTP server outside the firewall and no access to the network.

All Answers

  • Author
    • #2885388


      by samitoronto ·

      In reply to security


    • #2885379

      The safest thing to do is create a separate VLAN (DMZ) within VMware

      by robo_dev ·

      In reply to security

      Of course, technically, ‘outside the firewall’ simply means that you have a firewall rule that opens one port for FTP and a NAT forwarding rule to the internal IP address of the server. Logically you create a separate firewalled-off network (DMZ) depending on exactly where you need data to go, and for other purposes (e.g. backup, administration, etc).

      Within VMware a private vSwitch provides network isolation and establishes a DMZ, and assuming you need to move data from the FTP server, configure a virtual firewall such as Smoothwall so that there is tight control over what goes in and out of the DMZ. Use a dedicated vSwitch for DMZ with separate NICs.

      I have an ESX server that has internal and DMZ VMs on them; it’s no different than any other device…just harden the box, don’t expose any ports, keep it patched, etc.

      Is this secure enough?

      Some companies create all virtual Internet-facing infrastructure, some put the DMZ stuff on it’s own ESX server, and others create their DMZ systems as physical boxes.

      VMware is just a server, and like any server, there are hardening guidelines (as there are for FTP servers, of course). I have not (knock wood) seen any exploits or attacks against VMware that would apply in this case.

      The ONLY potential issue I can think of is that a DDOS attack might create performance issues dues to processor utilization. There are no known exploits to compromise internal VMs, or the Service Console, from a VM in the DMZ network even if they got root on that system.

    • #2885334

      performance issues dues to processor utilization

      by samitoronto ·

      In reply to security

      performance issues dues to processor utilization, Good thinking I never thought about that one an I am not sure there is a way to limit the processor allocations to each VMs as we do with the RAM.

Viewing 2 reply threads