IWETHEY v. 0.3.0 | TODO
1,095 registered users | 1 active user | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New This could go in Software and Apps, but I think this is the place for a VCenter Q.
We run VCenter 5.1. All servers except a handful of production database servers are virtualized on the LAN. Our DMZ has non-virtualized hosts. I was looking to virtualize the stuff outside the firewall this year. Initially, I was going to build a separate VCenter stack to host those servers. I'm being encouraged not to do that because "almost no one does that anymore." The reason I wanted two stacks is alluded to in the following Hyper-V post (the last case scenario and yeah, I know it is dated and not about VMware, but I hold the issues exist without regard to vendor): http://www.aidanfinn.com/?p=11847

I'm fully aware that a lot of places don't go to the expense and trouble of having two separate stacks on two separate networks, but am I wrong that this is the most secure/least likely to have your LAN compromised configuration?
New separate stacks can be on the same hardware
just cabled differently
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
New So, you'd say ...
Having the two networks hosting inside fw/outside fw vm's physically separated by a hw firewall is no longer necessary? It still seems to me that is the safest configuration.
New what is a hardware firewall?
a piece of software connecting 2 wires
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
New Understood.
Do I understand you to say that physical isolation doesn't buy you much? If I've got edge/dmz vm's running on the same esx host as lan vm's and one of the edge/dmz vm's is compromised through a ddos attack or similar, are you saying that this scenario does not present a significantly worse problem than if the edge/dmz vm's were on a completely different host, wired into a different switch/san etc. than the lan vm's?
New you can flood the edge vm's until the network stack is plugged
depending on how your backplane is configured without causing any lan traffic to be impacted. Depends on whether the backplane can be isolated. On the unisphere gear (now jupiter I think) we could completely isolate the bandwidth on the backplane by allocating max thruput. That was in the late 1990's. Once that value was hit that's all it could use. If your gear can do that, it simplifies matters.

Also note your edge gear on a shared box should be wired to different san and switches than your lan gear.
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
New Thanks.
     This could go in Software and Apps, but I think this is the place for a VCenter Q. - (mmoffitt) - (6)
         separate stacks can be on the same hardware - (boxley) - (5)
             So, you'd say ... - (mmoffitt) - (4)
                 what is a hardware firewall? - (boxley) - (3)
                     Understood. - (mmoffitt) - (2)
                         you can flood the edge vm's until the network stack is plugged - (boxley) - (1)
                             Thanks. -NT - (mmoffitt)

One thing you ought to know: well, I am the Mae-stro!
58 ms