Personally,
Id be a little more worried about attackers going after the ESX host, if you are leaving it in front of the firewall and behind such a device a packet filtering router ( one way to setup a DMZ, not always the way it is setup) If you have a Dual Firewall setup Id place the DMZ segement in there along with the ESX servers with strict rules about what can talk internally. As for firewall, you could use the Windows Firewall that comes with Windows 2003 Standard. Or take it one step further is look into IPSEC on commonly attacked ports as a method of defense, along with recommended hardening suggestions ( remove all Netbios, to include disabling netbios/TCP/IP and all uneeded services. For an extra layer of security you might want to look into putting a Network IDS probe in the DMZ and or deploying a application layer firewall to look at the traffic coming to the DMZ based servers. Again note that now you have to protect both the ESX host and the Guest OS's whereas before you only had to protect the Host OS, which could prove more work going forward. Z ________________________________ From: Garcia-Moran, Carlos [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 11:09 AM To: NT System Admin Issues Subject: RE: FTP Guest on DMZ, Software FW Suggestions Windows 2003 Standard ________________________________ From: Damien Solodow [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 11:01 AM To: NT System Admin Issues Subject: RE: FTP Guest on DMZ, Software FW Suggestions What OS are your guests? From: Garcia-Moran, Carlos [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 22, 2008 11:00 AM To: NT System Admin Issues Subject: FTP Guest on DMZ, Software FW Suggestions Hey All; We are in the process of replacing our DMZ servers with Vmware guests. Because it's new tech to our network team they would like an extra layer of security by putting software firewalls on the Guests. Now I only have experience with these three http://www.personalfirewall.comodo.com/ http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp; jsessionid=HNJqvoZKkH1EHJNFB3ZKBlAr1jowbQZoPHvHGrJ5X8gjpKNEcSI7!-1678026 629!-1062696904!7551!7552!NONE?dc=12bms&ctry=US&lang=en http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewa ll/ Any suggestions? Basically they would like a FW that has good logging and straightforward setup, free would be good as well. We are breaking each DMZ host by type so the WWW Guest would only need port 80 active on the FW , the FTP one 21 etc... thx! Carlos _________________________________________________________ This e-mail, including attachments, contains information that is confidential and may be protected by attorney/client or other privileges. This e-mail, including attachments, constitutes non-public information intended to be conveyed only to the designated recipient(s). If you are not an intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or reproduction of this e-mail, including attachments, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify me by e-mail reply and delete the original message and any attachments from your system. _________________________________________________________ _________________________________________________________ This e-mail, including attachments, contains information that is confidential and may be protected by attorney/client or other privileges. This e-mail, including attachments, constitutes non-public information intended to be conveyed only to the designated recipient(s). If you are not an intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or reproduction of this e-mail, including attachments, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify me by e-mail reply and delete the original message and any attachments from your system. _________________________________________________________ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
