The ESX host is behind the FW, I've actually used 6 Physical NICS and created Virtual Switches for each NIC, the NICS are connected to different FW ports which have rules to only allow the port traffic to the NIC > Vswicth > Guest that it needs like 21 for FTP, The COS NIC is also behind the DMZ and FW and gets translated back for Management. Windows Firewall wont give good enough logging. The network guys here are top notch, just not familiar enough with Vmware that they wanted a decent OS firewall on top of what they've done to harden the access I've already followed standard procedure to harden a server on a DMZ regardless of it being a Virtual or Physical. I've also changed configs on the ESX host to cut down ports and unneeded access thx!
________________________________ From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 11:40 AM To: NT System Admin Issues Subject: RE: FTP Guest on DMZ, Software FW Suggestions Personally, Id be a little more worried about attackers going after the ESX host, if you are leaving it in front of the firewall and behind such a device a packet filtering router ( one way to setup a DMZ, not always the way it is setup) If you have a Dual Firewall setup Id place the DMZ segement in there along with the ESX servers with strict rules about what can talk internally. As for firewall, you could use the Windows Firewall that comes with Windows 2003 Standard. Or take it one step further is look into IPSEC on commonly attacked ports as a method of defense, along with recommended hardening suggestions ( remove all Netbios, to include disabling netbios/TCP/IP and all uneeded services. For an extra layer of security you might want to look into putting a Network IDS probe in the DMZ and or deploying a application layer firewall to look at the traffic coming to the DMZ based servers. Again note that now you have to protect both the ESX host and the Guest OS's whereas before you only had to protect the Host OS, which could prove more work going forward. Z ________________________________ From: Garcia-Moran, Carlos [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 11:09 AM To: NT System Admin Issues Subject: RE: FTP Guest on DMZ, Software FW Suggestions Windows 2003 Standard ________________________________ From: Damien Solodow [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 11:01 AM To: NT System Admin Issues Subject: RE: FTP Guest on DMZ, Software FW Suggestions What OS are your guests? From: Garcia-Moran, Carlos [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 11:00 AM To: NT System Admin Issues Subject: FTP Guest on DMZ, Software FW Suggestions Hey All; We are in the process of replacing our DMZ servers with Vmware guests. Because it's new tech to our network team they would like an extra layer of security by putting software firewalls on the Guests. Now I only have experience with these three http://www.personalfirewall.comodo.com/ http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp; jsessionid=HNJqvoZKkH1EHJNFB3ZKBlAr1jowbQZoPHvHGrJ5X8gjpKNEcSI7!-1678026 629!-1062696904!7551!7552!NONE?dc=12bms&ctry=US&lang=en http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewa ll/ Any suggestions? Basically they would like a FW that has good logging and straightforward setup, free would be good as well. We are breaking each DMZ host by type so the WWW Guest would only need port 80 active on the FW , the FTP one 21 etc... thx! Carlos _________________________________________________________ This e-mail, including attachments, contains information that is confidential and may be protected by attorney/client or other privileges. This e-mail, including attachments, constitutes non-public information intended to be conveyed only to the designated recipient(s). If you are not an intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or reproduction of this e-mail, including attachments, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify me by e-mail reply and delete the original message and any attachments from your system. _________________________________________________________ _________________________________________________________ This e-mail, including attachments, contains information that is confidential and may be protected by attorney/client or other privileges. This e-mail, including attachments, constitutes non-public information intended to be conveyed only to the designated recipient(s). If you are not an intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or reproduction of this e-mail, including attachments, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify me by e-mail reply and delete the original message and any attachments from your system. _________________________________________________________ _________________________________________________________ This e-mail, including attachments, contains information that is confidential and may be protected by attorney/client or other privileges. This e-mail, including attachments, constitutes non-public information intended to be conveyed only to the designated recipient(s). If you are not an intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or reproduction of this e-mail, including attachments, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify me by e-mail reply and delete the original message and any attachments from your system. _________________________________________________________ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
