VMware+Security conundrum....

Phantum

[H]ard|Gawd
Joined
Jul 25, 2001
Messages
1,716
So I was sifting thru all the new network gallery pics and I started to see the terms 'virtual' and 'esxi' pop up alot.....so after some research I've some to the conclusion that rather than run 4-12 servers, why not virtualize them. So what I was wondering was this....can I and/or would it be a good idea to built a system that would be split into two different security servers?
Currently I'm using two different boxes to handle firewall/proxying & caching (Smoothwall) and then another machine running UnTangle to act as a transparent bridge connecting my internal network to the firewall. So would this idea be a bad one? If not...is it do'able?
 
While it's doable, especially when running ESX 3i in lockdown mode (disallows any remote authoritative (root) connections), the general recommendation is that it's always best to keep your firewall/UTM separate from your application servers. You can still cut your systems down from 4-12 to 2 though, one firewall/UTM device and one ESXi server.
 
While it's doable, especially when running ESX 3i in lockdown mode (disallows any remote authoritative (root) connections), the general recommendation is that it's always best to keep your firewall/UTM separate from your application servers. You can still cut your systems down from 4-12 to 2 though, one firewall/UTM device and one ESXi server.

So use a VMWare server for all app servers right? And if I'm reading your last comment right...and I'd like to think I am...I could build a less powerful VMWare machine and had images of both my smoothwall and Untangle? And this box would inturn be a different VMWare server than my VMWare app server?!?!
 
I would put them all on one box ... I trust the way ESX keeps everything isolated. Just make some extra internal networks to pull off what you want done (ie external, internal, DMZ, etc).
 
So use a VMWare server for all app servers right? And if I'm reading your last comment right...and I'd like to think I am...I could build a less powerful VMWare machine and had images of both my smoothwall and Untangle? And this box would inturn be a different VMWare server than my VMWare app server?!?!
Is this for your home or for a business? If for your home, you can run everything on one system. If a business, I stand by my recommendation of keeping your firewall/UTM solution separate from your application servers.

I would put Untangle on one physical box and use it as my router/all-in-one rather than just a transparent proxy. ESXi on another box with all of my application servers being virtual machines.
 
Is this for your home or for a business? If for your home, you can run everything on one system. If a business, I stand by my recommendation of keeping your firewall/UTM solution separate from your application servers.

I would put Untangle on one physical box and use it as my router/all-in-one rather than just a transparent proxy. ESXi on another box with all of my application servers being virtual machines.

It's for my home...For me security is paramount to having more than one device for traffic inspection so to ease my security OCD I'd rather run both the Smoothy and the UnTangle. At least two boxes....better safe than sorry! [EDIT] Well let me clarify....when I say 'two boxes' I just mean two defenses....I'm not comfortable leaving my network security with just one system. I like redundancy!!!! :)

See the thing of it is I'm really just wanting to get a feel for the whole ESXi movement so where I don't have a TON of app servers, it would be nice to setup a local intranet website and maybe a media/backup or archival box, with lots of emphasis on storage.

So it would be safe then to build a somewhat powerful box to run virtual servers of both Smoothwall and UnTangle? Because if either get b0rked, I can always close that virtual server and start a new one right?
 
Last edited:
It's for my home...

So it would be safe then to build a somewhat powerful box to run virtual servers of both Smoothwall and UnTangle? Because if either get b0rked, I can always close that virtual server and start a new one right?
Yes. You'll need at least two NICs in the box but can have more for redundancy if you wish.

The default virtual switch (vswitch0) would be for management and the "internal" virtual machine port group. Create a second vswitch (vswitch1), add the second NIC to it and create a virtual machine port group labeled as the "external" side.

Connect your cable or DSL modem to the physical NIC associated with the External virtual switch.

Create a third virtual switch with no physical NICs assigned to it and create a virtual machine port group within it labeled as the Intermediate Network.

For the smoothwall VM, create it with two virtual NICs; one in the External port group and one in the Intermediate.

For the Untangle VM, create it with two virtual NICs; one in the Internal port group and one in the Intermediate.

Plug the physical NIC associated with the Internal (vswitch0) into a physical switch.

Plug your other machines into that physical switch.

Create virtual machines as needed with one virtual NIC assigned to the Internal port group. If you need to setup a server that bypasses Untangle, add its NIC to the Intermediate port group.

If you have additional physical NICs you can add them to each vswitch (except the intermediate one) to provide fail-over redundancy.

If you need or desire a DMZ network, create a fourth virtual switch with no physical NICs assigned, create a port group in that virtual switch labeled "DMZ" and add a third virtual NIC to your Smoothwall server assigned to that port group. If you want to connect physical systems to the DMZ, get an additional physical NIC and add it to the DMZ port group. Plug that physical NIC into a switch but ensure that your DMZ goes to its own physical switch and does not touch the rest of your network.
 
Excellent! Thank you sir, you were most helpful. So I was thinking the following would suffice: AMD Athlon X2 4050e Brisbane 2.1GHz 45W (go green :p) 2GB Crucial DDR2800 and an MSI K9N6PGM2-V. Should be fine for just Smoothy & UnTangle yeah? My LAN is about 6-10 computers.
 
Yes. You'll need at least two NICs in the box but can have more for redundancy if you wish.

The default virtual switch (vswitch0) would be for management and the "internal" virtual machine port group. Create a second vswitch (vswitch1), add the second NIC to it and create a virtual machine port group labeled as the "external" side.

Connect your cable or DSL modem to the physical NIC associated with the External virtual switch.

Create a third virtual switch with no physical NICs assigned to it and create a virtual machine port group within it labeled as the Intermediate Network.

For the smoothwall VM, create it with two virtual NICs; one in the External port group and one in the Intermediate.

For the Untangle VM, create it with two virtual NICs; one in the Internal port group and one in the Intermediate.

Plug the physical NIC associated with the Internal (vswitch0) into a physical switch.

Plug your other machines into that physical switch.

Create virtual machines as needed with one virtual NIC assigned to the Internal port group. If you need to setup a server that bypasses Untangle, add its NIC to the Intermediate port group.

If you have additional physical NICs you can add them to each vswitch (except the intermediate one) to provide fail-over redundancy.

If you need or desire a DMZ network, create a fourth virtual switch with no physical NICs assigned, create a port group in that virtual switch labeled "DMZ" and add a third virtual NIC to your Smoothwall server assigned to that port group. If you want to connect physical systems to the DMZ, get an additional physical NIC and add it to the DMZ port group. Plug that physical NIC into a switch but ensure that your DMZ goes to its own physical switch and does not touch the rest of your network.

So if done correctly, it should look like this?
esx.jpg
 
So if done correctly, it should look like this?
Yup - only thing missing there, from the look of that screenshot, is the second virtual NIC for the Untangle box. You have the intermediate vNIC but seem to be missing the vNIC that links Untangle to the Internal network.
 
Yup - only thing missing there, from the look of that screenshot, is the second virtual NIC for the Untangle box. You have the intermediate vNIC but seem to be missing the vNIC that links Untangle to the Internal network.

It removed it when I change the name of one of the switches, but it was all working. Now to backup my other server and convert it to ESXi
 
Back
Top