Network setup including VMWare

[joeypesci]

I currently have, physically, a router, then a firewall both on 10.0.0.1 range

Then from the 2nd nic I have everything else on the 10.0.1.1 range.

If within this 10.0.1.1 range I build a couple of servers in VMware with 2 virtual nics in them would it be logically possible to have them on a different IP range? I would of thought not, as they are ultimately on the 10.0.1.1 range and just pretending, virtually, to be on a different IP range. So if someone got onto them from the outside, they've eventually be able to get into the main network.

This is the current setup

I'm not sure I understand DMZ zones. Someone has said mine isn't a true DMZ and that I should stick the VM exchange out on the DMZ so if anyone was to break in, they'd be stuck in the DMZ and could only trash the exchange (which isn't a problem as it's not being used properly just for messing about). They also said something like, making the DMZ so that it just keeps bouncing the traffic back to the person attempting the attack, so they essentially end up attacking themselves.

What I'm not sure about though is where the virtual exchange is. It's in the Green zone currently. Is it possible to give it a new IP like 10.0.2.1, still be on the 255.255.255.0 range, yet be isolated from the rest of the network and put in a DMZ?

Not sure if I explained that correctly.

Used

http://www.gliffy.com/

to create that diagram.

[joeypesci]

No one?

This is for a home setup.

[Eviltechie]

I want to know how to do this myself. And I'm clueless.

[SomethingToChatWith]

Some routers have the option to expose one computer on the network to the DMZ, but I still don't think it would isolate it from the rest of the network.

[Sparda]

Some routers have the option to expose one computer on the network to the DMZ, but I still don't think it would isolate it from the rest of the network.

A true DMZ would. Most consumer NAT routers versions of a DMZ is simply forwarding all ports to the specified IP address.

[lanwanman]

It would be more secure if the VM Exchange Box was in the DMZ range (red zone according to your network diagram). I say that b/c if a malicious user or virus gained access to your VM Exchange Box, then they also have access to your entire 10.0.1.xxx network to create some more havoc. You should create routes in the firewall from the machines on the 10.0.1.xxx network from specific IP addresses on the LAN to be able to talk to the exchange server on the 10.0.0.xxx if needed. Ideally, you would have a second firewall with an additional IP range for the VM Exchange Box but I'm not going to go into that for a home setup. I'm not sure why you want to give the Exchange Box a new IP address of 10.0.2.1. If you did that, then you will need another box on that same network in order to talk to it.

[joeypesci]

It would be more secure if the VM Exchange Box was in the DMZ range (red zone according to your network diagram). I say that b/c if a malicious user or virus gained access to your VM Exchange Box, then they also have access to your entire 10.0.1.xxx network to create some more havoc. You should create routes in the firewall from the machines on the 10.0.1.xxx network from specific IP addresses on the LAN to be able to talk to the exchange server on the 10.0.0.xxx if needed. Ideally, you would have a second firewall with an additional IP range for the VM Exchange Box but I'm not going to go into that for a home setup. I'm not sure why you want to give the Exchange Box a new IP address of 10.0.2.1. If you did that, then you will need another box on that same network in order to talk to it.

Thanks. Only said about the new IP range as I'm not sure I understand some of it.

[shonen]

Your network NEEDS MORE NAS'S =P I kid I kid.

[shonen]

This is an interesting topic, I to am interested seeing as I am studying networking.

Please correct me if I am wrong (I am still a n00b with this) but I was under the impressing that for stuff like this you would use the 3 legend firewall design. So you would be adding a new NIC to your hardware firewall (creating a orange zone DMZ for your VM that resides on a different Network portion of your addressing scheme).

By the way whats going on with your addressing? class A with 24 bits for the network portion and 8 for hosts like class C? Subnetting or does that make it classless??? You have lost me. XD

[Trajik]

Sounds like you need a 'real' DMZ. Only because you mentioned other people from outside getting into these VMs. So what you want is basically a different subnet which access control rules to prevent it from speaking to your 'green zone' but allow to speak to your 'red zone' while the green zone still can talk to it.

But with using virtual NICs, and not having a physical 'DMZ' port anywhere, things will get retarded with the routing and ACLs.

Also, how many NICs do you have in the VM server? Is it possible to get a second?

You are trying to use what you have to make a virtual DMZ so to speak, which will work in theory, but won't work for security purposes. It won't actually be a DMZ. It will just be a different subnet, which will mean nothing because if they are attached to the same physical link you won't be able to control the access between the routes properly and thus it won't be a true DMZ (from what i can see anyway). It will just be 2 networks that can communicate. (Which you don't want if you are letting outsiders in)

If you had a 2nd NIC in your VM server. And had a 3rd NIC in your firewall. You could make this work. You could make the 3rd NIC on the firewall be on a 10.0.2.x /24 subnet. Plug that directly into one of your dumb switches. Plug Your VM's 2nd NIC into that same switch (or do it directly). Set the 2nd NIC of your VM server to be in the 2.x subnet. While your first remains in 1.x. Set your virtual machines to be 2.x. On the firewall create an ACL which prevents 2.x from speaking to 1.x but allow 1.x to speak to 2.x (i'm assuming your firewall can do this). Then allow 2.x to communicate with everything else and give the VMs a default gateway of your firewalls 3rd NIC. And everything should be hunky dorey. Then just set up your NAT rules to translate from your outside to your inside VMs.

The only thing then you have to worry about is the actual security of your VM server and the VMs. VMs are generally great sandboxes and whatever is inside them can't escape to the host machine (your VM server). But i know there are some security risks floating around lately, so you may want to read up on VMware security. But apart from that. Should be good to go and you should be able to serve outsiders into your VM without venturing into your green zone.

[Trajik]

This is an interesting topic, I to am interested seeing as I am studying networking.

By the way whats going on with your addressing? class A with 24 bits for the network portion and 8 for hosts like class C? Subnetting or does that make it classless??? You have lost me. XD

In theory this is classless (shit it's been a while since i studied this...). It is still subnetting however. He has two separate class C networks going on here. It doesn't matter what IP's they are, aslong as the hosts fall within that subnet. 1.x /24 is a different subnet from 2.x /24. The /24 bits is what is making the subnet. It doesn't have to be 192.168.x.x. The /24 is the important thing. People find it easier to use 10.x.x.x /24 than 192.x.x.x /24 as it's easier to use, remember and configure devices. Especially in larger organisations when you have a large number of separate subnets and sites.

[shonen]

Thanks for the explanation Trajik, what you are saying makes perfect sense. I am a lil rusty myself seeing as I only covered some of the basic TCP/IP fundamentals in mid December.

[joeypesci]

Sounds like you need a 'real' DMZ. Only because you mentioned other people from outside getting into these VMs. So what you want is basically a different subnet which access control rules to prevent it from speaking to your 'green zone' but allow to speak to your 'red zone' while the green zone still can talk to it.

But with using virtual NICs, and not having a physical 'DMZ' port anywhere, things will get retarded with the routing and ACLs.

Also, how many NICs do you have in the VM server? Is it possible to get a second?

You are trying to use what you have to make a virtual DMZ so to speak, which will work in theory, but won't work for security purposes. It won't actually be a DMZ. It will just be a different subnet, which will mean nothing because if they are attached to the same physical link you won't be able to control the access between the routes properly and thus it won't be a true DMZ (from what i can see anyway). It will just be 2 networks that can communicate. (Which you don't want if you are letting outsiders in)

If you had a 2nd NIC in your VM server. And had a 3rd NIC in your firewall. You could make this work. You could make the 3rd NIC on the firewall be on a 10.0.2.x /24 subnet. Plug that directly into one of your dumb switches. Plug Your VM's 2nd NIC into that same switch (or do it directly). Set the 2nd NIC of your VM server to be in the 2.x subnet. While your first remains in 1.x. Set your virtual machines to be 2.x. On the firewall create an ACL which prevents 2.x from speaking to 1.x but allow 1.x to speak to 2.x (i'm assuming your firewall can do this). Then allow 2.x to communicate with everything else and give the VMs a default gateway of your firewalls 3rd NIC. And everything should be hunky dorey. Then just set up your NAT rules to translate from your outside to your inside VMs.

The only thing then you have to worry about is the actual security of your VM server and the VMs. VMs are generally great sandboxes and whatever is inside them can't escape to the host machine (your VM server). But i know there are some security risks floating around lately, so you may want to read up on VMware security. But apart from that. Should be good to go and you should be able to serve outsiders into your VM without venturing into your green zone.

Thanks for that. I'm a little lost though :) the firewall is running Endian firewall. Unfortunately the firewall machine can only have 2 NICs, one on board and a PCI one (it's a Dell GX620 small form factor). The VMWare PC is a GX745 small form factor so again can only have 2 NICs but currently has only the onboard one as to get a low height NIC for them costs about £20+ from ebuyer :(

If I brought another NIC for the VMware box is it still doable?

And yeah, I'm on the 10. range because it's easier to type :)

[decepticon_eazy_e]

Thanks for that. I'm a little lost though :) the firewall is running Endian firewall. Unfortunately the firewall machine can only have 2 NICs, one on board and a PCI one (it's a Dell GX620 small form factor). The VMWare PC is a GX745 small form factor so again can only have 2 NICs but currently has only the onboard one as to get a low height NIC for them costs about £20+ from ebuyer :(

If I brought another NIC for the VMware box is it still doable?

And yeah, I'm on the 10. range because it's easier to type :)

Can you do trunking on that firewall? You probably have the potential of 100+ VLANs then.

In VMware, I can assure you can trunk that and have 1024 Vlans. Do you have managed switches that can do Vlans?

[joeypesci]

Can you do trunking on that firewall? You probably have the potential of 100+ VLANs then.

In VMware, I can assure you can trunk that and have 1024 Vlans. Do you have managed switches that can do Vlans?

Erm, haven't a clue as mainly don't know what you're talking about :) and never dealt with VLans before.

What do you guys think of this

http://www.ebuyer.com/product/94160

to replace the actual firewall PC. It has more ports as well so I assume I could do the 3 NIC thing with it?

[Trajik]

Looking at that Netgear... it doesn't look ideal. Check out some user reviews here http://www.newegg.com/Product/ProductRevie...oOnlyMark=False

Are you doing all this just to play around? Or is it something you will actually be using a fair bit of? If it's just to play around, you may be able to do something similar like this.

Now this is what we spoke about using the same physical connections, which i don't like doing, but it will still work... if you get a second NIC for your VMbox, it will be better....

Keep your firewall 'as is'.

(im only going to say add a second NIC to your VMbox, because i think it will be more efficient and better for security, but you could just use the same NIC and give the Virtual Machine this IP.)

Install a second NIC on your VMbox. Give it a 0.x IP (red zone). Create your virtual machine and bind it to the new NIC and put it on the 0x subnet. Plug that NIC into your switch, which in turn plugs into the 0.x NIC of your firewall.

(i can't view your diagram right now so i forget how your switches are set up, but you want to have a red zone switch, and a green zone switch. Don't use the same ones. If your switches were managed, you could VLAN this, but if not, you are best seperating them physically as it's ideal security. If you can't separate your switches, and can't set up VLANs on them... then you may aswell just do below and don't bother with installing a second NIC)

Basically this configuration is just removing the part where you need a separate DMZ. Technically this is still a DMZ by design as 0.x is not a public address. You can still have access rules on the firewall to prevent people from going across to your green zone (as im sure is already in place) and have rules to allow green zone traffic > into red.

If you DIDN'T get a second NIC, or you can't seperate your switches by 'zone', you could just create a virtual NIC with 0.x within VMware, and run it into your switch > into your firewall. It will work the same but i don't know, i just have a thing about Layer 2 where i think it should be seperate if you want the security.

When all that is set up, all you will need to do is (depending on your modem/router) is port forward the traffic from the internet to your VM. It will go through your red zone, and stay in your red zone. Green zone will also be able to access it (obviously just using its 0.x address)

Sorry if that post was a bit jumbled, i'm still half asleep

[joeypesci]

Looking at that Netgear... it doesn't look ideal. Check out some user reviews here http://www.newegg.com/Product/ProductRevie...oOnlyMark=False

Are you doing all this just to play around? Or is it something you will actually be using a fair bit of? If it's just to play around, you may be able to do something similar like this.

Now this is what we spoke about using the same physical connections, which i don't like doing, but it will still work... if you get a second NIC for your VMbox, it will be better....

Keep your firewall 'as is'.

(im only going to say add a second NIC to your VMbox, because i think it will be more efficient and better for security, but you could just use the same NIC and give the Virtual Machine this IP.)

Install a second NIC on your VMbox. Give it a 0.x IP (red zone). Create your virtual machine and bind it to the new NIC and put it on the 0x subnet. Plug that NIC into your switch, which in turn plugs into the 0.x NIC of your firewall.

(i can't view your diagram right now so i forget how your switches are set up, but you want to have a red zone switch, and a green zone switch. Don't use the same ones. If your switches were managed, you could VLAN this, but if not, you are best seperating them physically as it's ideal security. If you can't separate your switches, and can't set up VLANs on them... then you may aswell just do below and don't bother with installing a second NIC)

Basically this configuration is just removing the part where you need a separate DMZ. Technically this is still a DMZ by design as 0.x is not a public address. You can still have access rules on the firewall to prevent people from going across to your green zone (as im sure is already in place) and have rules to allow green zone traffic > into red.

If you DIDN'T get a second NIC, or you can't seperate your switches by 'zone', you could just create a virtual NIC with 0.x within VMware, and run it into your switch > into your firewall. It will work the same but i don't know, i just have a thing about Layer 2 where i think it should be seperate if you want the security.

When all that is set up, all you will need to do is (depending on your modem/router) is port forward the traffic from the internet to your VM. It will go through your red zone, and stay in your red zone. Green zone will also be able to access it (obviously just using its 0.x address)

Sorry if that post was a bit jumbled, i'm still half asleep

Thanks. This is all the information I was hoping to get :) just gotta read through it and try to understand it :) I'm not a whizz on network setups.

It's just to play around really to learn how it all works. Same with the exchange, will be to see how it all works, also helps out with supporting stuff like this at work :)

Might be able to get another NIC for the VMWare box, I'd have to buy one though, although I could try the ones I found lying about but think some of them don't work as one of them lock the PC when I tried it a while ago.

[Trajik]

Haha i understand. You don't have to go through the whole 'network' setup thing just to play with exchange. I'd recommend just keeping that inside as you play with it, because it could get pretty confusing (if it wasn't already :P) Then you could play with all the network stuff separately. Totally up to you but yeah. Have you thought about doing any self study on networking? You'd be surprised at how much you learn and understand from even going through a couple of the CCNA ebooks. Especially on routing and VLANs in your case. Things would become so much clearer :). Worked for me.

[joeypesci]

I did have exchange already setup and played with it a bit, I wanted to now move it to a proper place in a proper network :)

I have tried watching some of the Train Signal vids, reading networking just gets way to confusing and boring, I prefer to watch vids on it, with follow along video guides. However, I like listening to the ones with Scott Skinger but a lot of the others just do my head in, David Davis being one of them. I watched a bit of his VMWare training vids. His voice got so annoying and irritating I had to turn it off :)

Thanks for all the help though.

[Trajik]

lol i agree... i'm the same. i can't stand reading books. I had no choice when i first started learning networking, but now with the plethora of videos and CBTs it makes life easier. And yeah, totally agree, most presenters are so boring and sterile... oh and those whiney nerdy voices like a cartoon character. My favorite presenter would be Jeremy Ciora from CBT Nuggets. He does Cisco and Microsoft Vids. He is gold... he goes off on tangents about watching 24 with his wife and getting excited when he sees the Cisco IP phones and when he was watching 'Firewall' with Harrison Ford he was all cheering because Harrison used the correct ACL on the firewall to lock out the 'hacker'. Haha it's good value.

[decepticon_eazy_e]

Adding a NIC and putting half of the server in the DMZ is not a secure solution. If security is the goal in this solution (which is where it originally headed), adding a NIC for another subnet is not ideal. If they compromise the box via the lower security of a DMZ, they can now have free reign in the INSIDE network.

A server in 2 different security zones is not a solution, it's a fix.

VLANs is how you accomplish this solution, if you don't understand them or have the equipment to implement them, you will not have the correct solution. VLANs are not that complicated, Wikipedia probably can explain it enough.

Now I understand this is not a super-secure company with HIPPA or PCI-like requirements ("This is for a home setup."), but that was where the discussion was heading. I just want to put the 2 cents in that those recommendations are the answer to "how can I make this work" vs "what is the best way".

DMZ implantation rule #1: If you have a rule that includes all hosts on the internal network can get to all hosts on the DMZ, you don't need a DMZ. So do you really need to bother with all this?

[joeypesci]

All suggestions welcome. I still have to understand DMZ and VLan anyway :)

[Trajik]

Adding a NIC and putting half of the server in the DMZ is not a secure solution. If security is the goal in this solution (which is where it originally headed), adding a NIC for another subnet is not ideal. If they compromise the box via the lower security of a DMZ, they can now have free reign in the INSIDE network.

A server in 2 different security zones is not a solution, it's a fix.

VLANs is how you accomplish this solution, if you don't understand them or have the equipment to implement them, you will not have the correct solution. VLANs are not that complicated, Wikipedia probably can explain it enough.

Now I understand this is not a super-secure company with HIPPA or PCI-like requirements ("This is for a home setup."), but that was where the discussion was heading. I just want to put the 2 cents in that those recommendations are the answer to "how can I make this work" vs "what is the best way".

DMZ implantation rule #1: If you have a rule that includes all hosts on the internal network can get to all hosts on the DMZ, you don't need a DMZ. So do you really need to bother with all this?

You say VLANs are the only secure way... VLANs standing for Virtual LAN. The suggestion originally to add additional NICs was to separate the networks. A VLAN is splitting up the networks virtually, and then you can put access controls in place to secure traffic going across the VLANs. It's exactly the same as adding additional NICs. They will be on 'seperate LANs'. Physically, not virtually. They will have ACLs and routes protecting from one LAN to the other. In this scenario, of course the green zone can access the 'DMZ' or even the 'Red Zone'. That is the point of a DMZ. Trusted networks can access untrusted, but untrusted can't access trusted.

DMZ implantation rule #1: If you have a rule that includes all hosts on the internal network can get to all hosts on the DMZ, you don't need a DMZ. So do you really need to bother with all this?

What do you mean? The point of the DMZ is so OUTSIDE or public hosts can access the resources on the DMZ, but not access the trusted network. The trusted network, or 'all inside hosts' still need to access the resources on the DMZ also. That is the point of it. Maybe i am missing something but that is a secure way of implementing this. And i will say MORE secure than VLANs, as VLANs you are introducing another layer of attack vectors (layer 2).

[decepticon_eazy_e]

You say VLANs are the only secure way... VLANs standing for Virtual LAN. The suggestion originally to add additional NICs was to separate the networks. A VLAN is splitting up the networks virtually, and then you can put access controls in place to secure traffic going across the VLANs. It's exactly the same as adding additional NICs. They will be on 'seperate LANs'. Physically, not virtually. They will have ACLs and routes protecting from one LAN to the other. In this scenario, of course the green zone can access the 'DMZ' or even the 'Red Zone'. That is the point of a DMZ. Trusted networks can access untrusted, but untrusted can't access trusted.

The single box is on multiple physical LANs. You get a 2 for 1 hack here, compromise the box from one LAN and you get the second LAN for free. Don't put the box in multiple LANs, virtual or physical. The VLANs are useful because it was mentioned that the firewall had a limited amount of NICs. The server, being Vmware, also had a limited amount of NICs. Make those trunks and assign your virtual machines to one VLAN only. The box has a management IP, which will reside in your most trusted network. At no point do these networks touch each other... UNTIL you plop a server down with 2 or more NICs in 2 or more networks.

What do you mean? The point of the DMZ is so OUTSIDE or public hosts can access the resources on the DMZ, but not access the trusted network. The trusted network, or 'all inside hosts' still need to access the resources on the DMZ also. That is the point of it. Maybe i am missing something but that is a secure way of implementing this. And i will say MORE secure than VLANs, as VLANs you are introducing another layer of attack vectors (layer 2).

DMZ is to be treated as a hostile network, similar to the outside world. Granted, this is not as hostile a network, but still not to be trusted. This is the DMZ's purpose. If any box in the DMZ is compromised it will have limited, if any, access to the internal network. The firewall rules will look like this, internal hosts get port 80 to server A in DMZ, and port 110+25 to server B in DMZ. The rules will mimic those to the outside world, but you add port 3389 or something like that for administration. The point of the DMZ is that all traffic passes through the firewall and thus can be inspected or blocked. If a server in the DMZ has another NIC in the internal network, you have installed a backdoor into your network and bypassed the firewall completely.

[Trajik]

Haha i was reading everything in your post and agreeing totally, but was wandering where the debate actually was?.. Then I realized in my earlier posts i said to have a second NIC in the VMbox and have the 2 seperate networks on that same box. yeah sorry, i agree, thats a bad idea. I probably should have explained more. You would have a firewall (say windows firewall) preventing the untrusted NIC or network from accessing anything on the box (deny all). But looking at it now, that sounds unnecessarily messy. Keeping the one NIC on the VMbox and put it on the DMZ or in the Red zone. Then control access to it with ACLs is the simplest way.