Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMZ Security and VMWare

Hi All,

We currently have a 3 layer DMZ environment, plus the Inside and Outside. Currently there is a proposal to combine servers in these 3 DMZ layers into one physical VMWare box, and then connection to the 3 layers using 3 separate NICS on the server.

Is this a good architecture from a security perspective? Will this environment be more vulnerable, remain the same, etc. Any detailed thoughts opinions, experience would be much appreciated.

Thank you,

Pradeep

4 REPLIES

Re: DMZ Security and VMWare

Logically, all three servers will still be seen as separate servers due to dedicated NIC for each system.

But physically, they are sitting together, and somehow there're still some security issues, i.e loophole/weaknesses in the VMWare or OS itself.

But if you have proper layers of security, i.e firewall, IPS, CSA and AV in place, this probably looks better and more secure.

HTH

AK

New Member

Re: DMZ Security and VMWare

Hi Amrih,

Thanks for the response. Given that we will have the IPS, HIDS, AV, etc is this better than having 3 separate physical boxes with all the necessary security software?

My concern is that if the underlying vmware or linux system is compromised than all servers at all 3 layers may get compromised, whereas if they are separate boxes then the breach can be contained in the layer it happened in.

Any thoughts on that or am I being overly cautious?

Thanks

Pradeep

Gold

Re: DMZ Security and VMWare

>>Is this a good architecture from a security perspective?

Not as good as physical separation;-) The question is whether it's good enough, and that's a decision only you can make. Even if we assume that it is impossible to access other instances (probably pretty naive), you should consider whether there is additional risk due to accidents (vmware misconfiguration, plugging into the wrong port, etc).

Re: DMZ Security and VMWare

mhellman has a point there...

But again, you need to really justify the risk vs proper security and how you qualify the possible threats and possible mitigations.

It doesn't meant that the system is 100% secure once you have all those gadgets monitoring/guarding your system. That's why you need to always update the IPS signature, AV & CSA, review firewall policy, perform penetration test and so on. Like what is stressed in Cisco SAFE Blueprint, security is an ongoing process, not a one-time deployment - need constant review & check.

Separate servers indeed more secure that consolidate everything into a single box. Any attacked can be contained into a single server. But still you have to compare it with your readiness to maintain it.

There is no right or wrong, it's the readiness, how you mitigate all possible threats and how the impact can affect you/your organization.

HTH

AK

314
Views
7
Helpful
4
Replies