Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
7
Helpful
4
Replies

DMZ Security and VMWare

pmajumder
Level 3
Level 3

‎11-15-2006 05:42 AM - edited ‎03-09-2019 04:53 PM

Hi All,

We currently have a 3 layer DMZ environment, plus the Inside and Outside. Currently there is a proposal to combine servers in these 3 DMZ layers into one physical VMWare box, and then connection to the 3 layers using 3 separate NICS on the server.

Is this a good architecture from a security perspective? Will this environment be more vulnerable, remain the same, etc. Any detailed thoughts opinions, experience would be much appreciated.

Thank you,

Pradeep

Labels:
0 Helpful
4 Replies 4

a.kiprawih
Level 7
Level 7

‎11-15-2006 06:58 AM

Logically, all three servers will still be seen as separate servers due to dedicated NIC for each system.

But physically, they are sitting together, and somehow there're still some security issues, i.e loophole/weaknesses in the VMWare or OS itself.

But if you have proper layers of security, i.e firewall, IPS, CSA and AV in place, this probably looks better and more secure.

HTH

AK

0 Helpful

pmajumder
Level 3
Level 3
In response to a.kiprawih

‎11-15-2006 08:20 AM

Hi Amrih,

Thanks for the response. Given that we will have the IPS, HIDS, AV, etc is this better than having 3 separate physical boxes with all the necessary security software?

My concern is that if the underlying vmware or linux system is compromised than all servers at all 3 layers may get compromised, whereas if they are separate boxes then the breach can be contained in the layer it happened in.

Any thoughts on that or am I being overly cautious?

Thanks

Pradeep

0 Helpful

mhellman
Level 7
Level 7

‎11-15-2006 12:53 PM

>>Is this a good architecture from a security perspective?

Not as good as physical separation;-) The question is whether it's good enough, and that's a decision only you can make. Even if we assume that it is impossible to access other instances (probably pretty naive), you should consider whether there is additional risk due to accidents (vmware misconfiguration, plugging into the wrong port, etc).

a.kiprawih
Level 7
Level 7
In response to mhellman

‎11-15-2006 05:22 PM

mhellman has a point there...

But again, you need to really justify the risk vs proper security and how you qualify the possible threats and possible mitigations.

It doesn't meant that the system is 100% secure once you have all those gadgets monitoring/guarding your system. That's why you need to always update the IPS signature, AV & CSA, review firewall policy, perform penetration test and so on. Like what is stressed in Cisco SAFE Blueprint, security is an ongoing process, not a one-time deployment - need constant review & check.

Separate servers indeed more secure that consolidate everything into a single box. Any attacked can be contained into a single server. But still you have to compare it with your readiness to maintain it.

There is no right or wrong, it's the readiness, how you mitigate all possible threats and how the impact can affect you/your organization.

HTH

AK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents