While there are many ways to configure your virtualization host to connect to DMZ networks, there are some best...
practices that you should follow to help improve security and minimize the risks that could arise in connecting a host to a hostile network.
- Limit the number of people that can modify VM networks: While you can trust your hypervisor to provide a secure environment for your VMs, you shouldn’t necessarily trust your users and admins to do the right things. A hypervisor will do what it’s told to do, and configuration changes can potentially expose your VMs to hostile conditions. With physical servers, you have to physically unplug a cable from one switch and plug it into another to move it to another network. A VM, on the other hand, can easily be moved from an internal network to a DMZ network with a click of a but ton—or even worse, it can be connected to both networks simultaneously. Therefore, access should be locked down so only certain people can modify VM network and vSwitch configurations.
- Use virtual firewalls in conjunction with physical firewalls: A virtual firewall provides an additional layer of security within the hypervisor and protects VM network traffic at the virtualization layer. There are free basic virtual firewalls available, as well as more advanced products like VMware’s vShield Zones and other products from third-party vendors.
- Lock down your vSwitch settings: Limit the number of ports on a vSwitch to exactly the number of VMs connected to it. Also set the device to Promiscuous Mode, MAC Address Changes and Forged Transmits to Reject.
- Harden the host to make it as secure as possible: vSphere is pretty secure by default, but it can be improved upon. Follow the best practices that VMware publishes for hardening your whole virtual environment.