I'm looking for some insight into best practices for network traffic isolation within a virtual environment, specifically under VMWARE ESXi.
Currently I have (in testing) 1 hardware server running ESXi but i expect to expand this to multiple pieces of hardware.
The current setup is as follows:
1 pfsense VM, this VM accepts all outside (WAN/internet) traffic and performs firewall/port forwarding/NAT functionality. I have multiple public IP addresses sent to the this VM that are used for access to individual servers (via per incoming IP port forwarding rules). This VM is attached to the private (virtual) network that all other VMs are on. It also manages a VPN link into the private network with some access restrictions. This isn't the perimeter firewall but rather the firewall for this virtual pool only.
I have 3 VMs that communicate with each other, as well as have some public access requirements:
1 LAMP server running an eCommerce site, public internet accessible
1 accounting server, access via windows server 2008 RDS services for remote access by users
1 inventory/warehouse management server, VPN to client terminals in warehouses
These servers constantly talk with each other for data synchronization.
Currently all the servers are on the same subnet/virtual network and connected to the internet through the pfsense VM. The pfsense firewall uses port forwarding and NAT to allow outside access to the servers for services and for server access to the internet.
My main question is this:
Is there a security benefit to adding a second virtual network adapter to each server and controlling traffic such that all server to server communication is on one separate virtual network, while any access to the outside world is routed through the other network adapter, through the firewall, and on the the internet.
This is the type of architecture i would use if these were all physical servers, but i'm unsure if the networks being virtual changes the way i should approach locking down this system.
Thank you for any thoughts or direction to any appropriate literature.
Best Answer
Your current configuration is fine. THe private switch data is only accessible by any of the machines attached to it. You have a limited scope of access so you should be safe. If you were do do anything, you could possibly add a second NIC to PF sense to a separate private vSwitch to basically have a DMZ but its not necessary and a bit excessive. Your milage may vary..