BEST PRACTICES DMZ Virtualization with VMware Infrastructure VMWARE BEST PRACTICES Table of Contents Virtualized DMZ Networks ..................................................................................... 3 Three Typical Virtualized DMZ Configurations ...................................................... 4 Partially Collapsed DMZ with Separate Physical Trust Zones ........................... 4 Partially Collapsed DMZ with Virtual Separation of Trust Zones ...................... 5 Fully Collapsed DMZ ........................................................................................... 6 Best Practices for Achieving a Secure Virtualized DMZ Deployment.................... 7 Harden and Isolate the Service Console ............................................................ 7 Clearly Label Networks for each Zone within the DMZ ..................................... 7 Set Layer 2 Security Options on Virtual Switches .............................................. 7 Enforce Separation of Duties .............................................................................. 8 Use ESX Resource Management Capabilities ..................................................... 8 Regularly Audit Virtualized DMZ Configuration ................................................ 8 Conclusion .............................................................................................................. 8 References .............................................................................................................. 8 2 VMWARE BEST PRACTICES DMZ Virtualization with VMware Infrastructure Virtualized DMZ Networks configuration of a DMZ using virtual network infrastructure. Enforcement policies on a virtual network are the same as those As virtualization of network DMZs becomes more common, on a physical network. Gartner research supports this view by demand is increasing for information to help network security suggesting that security risks primarily emanate from adminis- professionals understand and mitigate the risks associated with trative misconfiguration and not from the virtual infrastructure. this practice. This paper provides detailed descriptions of three (See the References section for information on this Gartner different virtualized DMZ configurations and identifies best report.) practice approaches that enable secure deployment. This paper provides information that will enable you to config- VMware customer experience and independent analyst ure a virtualized DMZ correctly and deploy it seamlessly. research demonstrate that it is possible to set up a DMZ in a virtualized environment that is as secure as a DMZ in a physical The biggest risk to a DMZ in a virtual environment is miscon- environment. However, some network security professionals are figuration, not the technology. Thus you need strong audit concerned that DMZ virtualization might decrease security. This controls to ensure that you avoid misconfiguration, either acci- is understandable, because virtualization involves new terminol- dental or malicious. ogy and technology. As shown in figures 1 and 2, the introduction of virtual technol- Fortunately, as a network security professional, you already ogy into a DMZ does not have to change the DMZ topology have the critical knowledge necessary to ensure the proper significantly. As with other parts of the network, virtual technol- Internet Production LAN IDS/IPS Web zone Application zone Database zone Figure 1 — A typical DMZ in a physical environment VMware VirtualCenter server Internet Production Management LAN LAN Service Service Service console console console interface interface interface VM VM VM VM VM VM VM VM VM VMkernel VMkernel VMkernel Service Service Service IDS/IPS vSwitch vSwitch console vSwitch vSwitch console vSwitch vSwitch console NIC NIC NIC VMware ESX team VMware ESX team VMware ESX team Web zone Application zone Database zone Figure 2 — A typical DMZ in a virtual environment 3 VMWARE BEST PRACTICES ogy merely enables you to consolidate servers by replacing physical network, this configuration removes many risks. For physical servers with virtual servers that function exactly the instance, it minimizes the impact of the potential loss of separa- same way — and need to be configured in much the same way tion of duties. This, in turn, greatly reduces the chance that an — as their physical equivalents. You can consolidate servers in unqualified individual might be in a position to introduce a a DMZ using virtual technology and continue to rely on your vulnerability through misconfiguration. existing security infrastructure. In this configuration, you do not need to configure dedicated virtual switches or use 802.1q VLANs within the virtual infra- Three Typical Virtualized DMZ Configurations structure. You perform all networking isolation on the physical A virtualized DMZ network can fully support and enforce a network, not within the virtual infrastructure. wide range of configurations to separate trust zones. The three Advantages options described in this section are typical. • Simpler, less complex configuration Partially Collapsed DMZ with Separate Physical Trust • Less change to physical environment Zones • Less change to separation of duties; less change in staff Organizations that want to keep DMZ zones physically sepa- knowledge requirements rated tend to choose this method, shown in Figure 3. In this configuration, each zone uses separate ESX Server clusters. • Less chance for misconfiguration because of lower complex- Zone isolation is achieved with physical security devices. The ity physical network does not require any change. The only differ- Disadvantages ence between this configuration and a purely physical DMZ is • Lower consolidation and utilization of resources that the servers within the trust zone are virtualized. • Higher costs because of need for more ESX hosts and addi- This configuration limits the benefits you can achieve from tional cooling and power virtualization because it does not maximize consolidation ratios, • Incomplete utilization of the advantages of virtualization but this approach is a good way to introduce virtual technology into a network. Because it has minimal impact on an existing VMware VirtualCenter server Internet Production Management LAN LAN Service Service Service console console console interface interface interface VM VM VM VM VM VM VM VM VM VMkernel VMkernel VMkernel Service Service Service IDS/IPS vSwitch vSwitch console vSwitch vSwitch console vSwitch vSwitch console NIC NIC NIC VMware ESX team VMware ESX team VMware ESX team Web zone Application zone Database zone Figure 3 — Partially collapsed DMZ with separate physical trust zones 4 VMWARE BEST PRACTICES Partially Collapsed DMZ with Virtual Separation of Because the trust zones in this configuration are enforced in the Trust Zones virtual infrastructure, you should audit virtual switches regularly In this configuration, shown in Figure 4, you use virtual technol- for consistent policy and settings to mitigate the potential for a ogy to enforce DMZ trust zone separation. As a result, you can virtual machine to be placed on the wrong network. locate virtual servers with different trust levels on the same Although Figure 4 shows separate virtual switches for each VMware® ESX host. Although physical security devices are part zone, you can accomplish the same goal by using 802.1q of the configuration, this approach consolidates all DMZ servers VLANs. The most important factor in determining which con- into virtual machines on one ESX host cluster. As a result, you figuration option to choose is typically the number of physical need substantially fewer physical servers. By leveraging the full NICs present in the hardware. You should always dedicate at functionality of the virtual infrastructure, you generate signifi- least one physical NIC to the ESX service console. If possible, cant cost savings for your IT organization. use two physical NICs for the service console to provide redun- Enforcement of the DMZ security zones takes place in both dancy. virtual and physical realms. You use virtual switches to enforce Advantages which virtual servers are connected to which DMZ zone, but • Full utilization of resources you use physical hardware to enforce the network security between the zones. For this reason, virtual servers must use the • Full utilization of the advantages of virtualization physical network and pass through physical security devices to • Lower cost communicate between DMZ trust zones. Disadvantages The impact of the potential loss of separation of duties between • More complexity network switch administrator and server administrator — and the associated risk that an unqualified individual will be in a • Greater chance of misconfiguration requires explicit configu- position to introduce vulnerabilities through misconfiguration ration of separation of duties to help mitigate risk of miscon- — is greater in this case than when you have separate physical figuration; also requires regular audits of configurations trust zones, but the potential impact is minimized by the fact that network security is still physically enforced. VMware VirtualCenter server Internet Production Management LAN LAN Web servers Application servers Database servers Service console interface VM VM VM VMVM VMVM VMVM VMkernel Web zone Application Database zone Service IDS/IPS vSwitch zone vSwitch vSwitch console NIC NIC NIC team team team VMware ESX Web zone Application zone Database zone Figure 4 — Partially