An article by Edward Haletky made me think about ESX and the DMZ in general. The schematic picture is simple: services that need to be accessible from the Internet are in the DMZ (the demilitarized zone between the internal enterprise network and the Internet, in case you wonder), all others are in the internal network. In between, we place a 3-port firewall, one port for the Internet, one for the DMZ, and one for the internal network.
In reality, it’s of course, never that simple. Let’s ignore all the complexities of real life physical networks for a moment and think about virtualization in the most simplistic case imaginable. We run public web servers, mail servers, databases, and application servers insides VMs on ESX servers. Obviously public web servers and mail must be in the DMZ, databases must not. So what do we do? One option I have seen is separate ESX servers. Not pretty, because you tie down VMs to a small set of hosts in the DMZ. And for the services console, we have set up a separate network anyway, because we do not want it in the DMZ. The second option is dedicated DMZ NICs. Somewhat better than option 1, it means that certain network interface cards are connected to the DMZ; we can share VM hosts between DMZ and internal guests and do the separation on the virtual network (on vSwitches or VLANs in the case of VMware ESX). Still fairly inflexible.
The case for the virtual alternative to option 1 and 2 is pretty straightforward. Going virtual means to combine vSwitches, VLANs and virtual firewalls to establish a virtual DMZ (VDMZ). Putting a VM in a VDMZ is a clear and simple concept; it means to put the VM on a VLAN that is connected to the DMZ and to shield it with a virtual firewall inside the ESX server.
Dedicating physical NICs for the DMZ is wasteful, both in terms of the cost of the NICs and the lost flexibility. Either I have to dedicate two NICs (assuming that I need redundancy) for the DMZ on every single server, or I have to limit the servers that can host DMZ VMs – which is awfully close to option 1.
Talking to many VMware users, there are still some concerns to overcome. Virtual DMZs are sometimes perceived to be less secure. I cannot share the sentiment having seen too many misconfigured physical firewalls and too many untraceable wires connecting segments that should not be connected, but in the end, the practices from physical networks will carry over. As mentioned in the beginning, real life physical networks consist of multiple DMZs, mostly separated by VLANs. So it’s certain that the much more virtualization minded VMware crowd will go for virtual DMZs, too.
A Network Virtualization Blog 