Chris Hoff posts about VMware’s recently released DMZ whitepaper. It shows three different approaches to DMZ architectures and discusses their strengths and weaknesses:
- Partially collapsed with physical zone separation. In this architecture, you put VMs of the same trust level on the same physical boxes and separate them using traditional firewalls.
- Partially collapsed with virtual zone separation. In this architecture, you put VMs of different trust levels (across DMZ zones) all on the same box, then pump the traffic in and out physical NICs and through physical firewalls accordingly.
- Fully collapsed puts everything in the virtual environment.
As is par for the course these days, VMware makes an outlandish security claim that there are no “significant” changes to the topology (errr, adding a separate management/control zone and creating virtual networks seem topologically different to me…). Other than that, it is a pretty decent review of the options.
Here are some tips for thinking about virtual DMZs. (For those who have been reading along, immutable laws 3 and 4 apply here).
- If you are moving from no zone separation to virtual zone separation, you are better off (law 3). This is unlikely simply because most folks already have zoned architectures.
- If you have your physical DMZ components all hanging off the same switch, you are probably at about the same risk level as option 2 above, where you still have physical firewalls.
- The only real benefit between option 2 above and option 3 is that the attack vector through the the firewalls is not factored into the virtualized environment risk. This is fairly minor in my book.
- The added hypervisor attack surface is the real question mark (ooops, there’s law 2 as well). Probably not a big deal right now, but with still unknown future ramifications.
More on this and other security implications as they come up.