How To Virtualise DMZs Well
VMware have released a Best Practice guide for DMZ implementations in a VMware ESX infrastructure.
It outlines the three main implementation routes and discusses the advantages and disadvantages below:
Partially Collapsed DMZ with Separate Physical Trust Zones
Advantages
- Simpler, less complex configuration
- Less change to physical environment
- Less change to separation of duties
- Less change in staff knowledge requirements
- Less chance for misconfiguration because of lower complexity
Disadvantages
- Lower consolidation and utilization of resources
- Higher costs because of need for more ESX hosts and additional cooling and power
- Incomplete utilization of the advantages of virtualization
Partially Collapsed DMZ with Virtual Separation of Trust Zones
Advantages
- Full utilization of resources
- Full utilization of the advantages of virtualization
- Lower cost
Disadvantages
- More complexity
- Greater chance of misconfiguration requires explicit configuration of separation of duties to help mitigate risk of misconfiguration
- requires regular audits of configurations
Fully Collapsed DMZ
Advantages
- Full utilization of resources, replacing physical security devices with virtual
- Lowest-cost option
- Management of entire DMZ and network from a single management workstation
Disadvantages
- Greatest complexity, which in turn creates highest chance of misconfiguration
- Requirement for explicit configuration of separation of duties to help mitigate risk of misconfiguration
- Requires regular audits of configurations
- Loss of certain functionality, such as VMotion, if current virtual security appliances are not properly configured and audited
Download it here as there is a lot of information here, to get your teeth into.
