DMZ VMWWare server connection to inside network security risk

rmrahman0302 · ‎03-16-2013

Hi,

We are thinking to connect DMZ host ( VM Servers) directly to inside network by putting them into L2 vlan. Waht are pros and cons by doing this way? Appreciate your help.

Thanks

Julio Carvajal · ‎03-16-2013

Hello,

So you are planning to move the servers you have on the DMZ ( that are accessed from the outside world ) to the inside interface...

The risk would be that if by any chance any of those servers while being access from the outside get compromised then the attacker will inmediatly could access any inside host without going to the ASA as he already is behind the inside interface....

I would say you have an ASA in place so as long as you secure your network as much as possible you can perfom this kind of changes but you still must know that vulnerability

Hope that I could help

Remember to rate all of the helpful posts

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Andrew Phirsov · ‎03-16-2013

I think he means phisical iside interface but different subinterfaces - inside and dmz.

Andrew Phirsov · ‎03-16-2013

One thing i could thing of, cause we had such situation. If you're the one who configures firewalls, and configuration and maintenance of switches done by someone from other department, there's a chance that by misconfiguration (or on purpose) routing between vlans may be set on some of the switches in a LAN without traffic flowing through firewall. But, if DMZ segmet is set on separate phisical interface of the firewall - there's no chance for DMZ-traffic to bypass it.

Apart from security, the negative part of it is that the bandwith is shared between lan and DMZ, but i don't think it's really an issue.

rmrahman0302 · ‎03-16-2013

Thanks Julio and Andrew for your comments.

Physicial connections will be as follows;

From DMZ Host ( VM Server) -- One connection to Internal Core Switch (6509) which will be for DMZ configured as a access port on dmz vlan.

--- One connection Internal Core Switch (6509) which will be for production network configured on production vlan.

Basically moving away from physical separation of DMZ host to utilize the VM servers effectively for DMZ and production. We have to maintain both firewall and network. Except the human error what are the possible risk on this?

Andrew Phirsov · ‎03-16-2013

So you DMZ-hosts will have two connections - one on DMZ and one on LAN? If so, it's totally ruins the purpose of DMZ)), cause, as Juio said, if DMZ-server gets compromised, the whole LAN gets compromised. For DMZ servers you should have only one interface (located on DMZ - phisical on vlan), accessible from outside and LAN through the firewall.

rmrahman0302 · ‎03-16-2013

As per VMware, VSwitch is totally secure, lets say worst case if any DMZ host is compromised configured on VSwitch1, there is no way production server will be effected configured on VSwitch2. Also, All the traffic will go through Firewall and will be filtered by firewall rules. All we are exploring the options for effective use of VM servers for both DMZ and production use instead of using dedicated Switch and fixed VM servers for only DMZ use. The reason I asked here in this forum if anybody has deployed this solution yet...

Thanks!

Julio Carvajal · ‎03-16-2013

Hello,

The VMware server will have access to both interfaces ( Inside and DMZ)....

If that host gets compromised then the attacker will be able to innitiate traffics to both interfaces without going across the firewall...

Remember that traffic on the LAN should not reach the asa...

Do you got it now?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC