shonen Posted August 17, 2009 Share Posted August 17, 2009 Hey Hak5 community, I was recently handed an assignment to design a network for a company and was considering using a virtualization solution much like the one Matt discussed in season 5 episodes 11 for handling all the server operating systems and services required for end users. The company for this assignment needs a couple of publically accessible services such as a web, mail etc and from my understanding these should be placed in a demilitarized zone. I was curious as to if it this is ok (secure/best practice) to run these publically available services off say a Windows 2003 virtual machine configured specifically for IIS, which is situated on the data store alongside the private server VM's running Active Directory etc. I am assuming that if I was to do this I would have to dedicate a physical network card for the virtual IIS enabled machine and allocate a different TCP/IP address to establish the demilitarized zone. To honest I know very little about Virtualization architecture and best practices so my assumption maybe completely wrong. I did do some lurking on google but failed at finding anything that can answer my question for the above. I would greatly appreciate any discussion on the subject or linkage that can point me in the right direction. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
VaKo Posted August 17, 2009 Share Posted August 17, 2009 Physically seperation is the best idea, so I would look at using a separate server for your DMZ stuff. You simply place the management NIC on a separate network from your VM networks nic. If you have to use the same hardware then you will need separate NIC's and a dedicated datastore. Quote Link to comment Share on other sites More sharing options...
shonen Posted August 17, 2009 Author Share Posted August 17, 2009 Ah I figured physical separation may have been the best idea, thanks a bundle for clearing that up for me Vako. Looks like its Visio time. XD Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted August 19, 2009 Share Posted August 19, 2009 Ah I figured physical separation may have been the best idea, thanks a bundle for clearing that up for me Vako. Looks like its Visio time. XD If you trust VLANs then physical separation isn't needed, just virtual. Some people don't trust vlans, not sure why, but I can respect that. Also the benefit here is more NIC ports for all your connections, instead of 2 for this one and 2 for that one, you get 4 for this one. Quote Link to comment Share on other sites More sharing options...
VaKo Posted August 19, 2009 Share Posted August 19, 2009 If you trust VLANs then physical separation isn't needed, just virtual. Some people don't trust vlans, not sure why, but I can respect that. Also the benefit here is more NIC ports for all your connections, instead of 2 for this one and 2 for that one, you get 4 for this one. Its covering you ass really, and if its a server that random people on the web can touch I'd much rather have red/green physical seperation as no matter how good the hacker, they won't be able to do jack if there isn't a link between the systems. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.