02-24-2015 08:21 AM - edited 03-11-2019 10:33 PM
I need to create a DMZ where VMs in my environment can be accessed from the public internet. The current plan is:
-Have a single firewall that is connected to a 7000K switch. There will be both a DMZ subnet and internal network subnets sharing the same physical switch, and travelling in and out the same physical switch trunk ports to various ESXi hosts. The traffic will be separted only by being tagged with different vLAN tags, and by creating firewall rules to that control what communication can happen to and from the DMZ subnet.
Is this a viable "DMZ" design or does DMZ traffic need to be on a different physical switch or at least not trunked on the same switch ports?
02-24-2015 06:39 PM
This would fail any regulated security audit.
02-24-2015 09:08 PM
OK thanks. Is there any reference documentation to define exactly what a regulated audit is looking for in DMZ design? Is there a specific document or link I can point to that sets out what the requirements are? When you say regulated audit are you talking specifically PCI-DSS, Sarbanes Oxley, NIST, FISMA, or all of the above? Which audits are "regulated"?
02-25-2015 06:35 AM
By regulated I mean PCI, DISA, etc. You can check out the CVD for internet edge at http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-edge/landing_iEdge.html#~designs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide