Help me not get hacked :) How to secure / segment my network???
-
I just scored some COLO space and want to start a small webhost for me and my buddies… I don't know where to begin but I have an idea of what I want and am hoping you guys can give me some direction... Some of this might be out of the scope of pfSense help, but I figure some still may be savvy with my setup and can give me some pointers with VMWare networking as well?
In a nutshell, I want to use pfSense as my Firewall/Gateway, handling and protecting the communication between my public IPs and servers. My network will consist of 6 physical servers (HOSTS) all running VMWare ESX/ESXi in a cluster/failover type setup. On these 6 VMWare Hosts I will have several Virtual Machines which will be the actual web servers (accessible by the public IPs). HOWEVER I would like to figure out how to make my setup as secure as possible...
I would like to figure out how to setup a management network... This network would be separate/hidden from the VMs... This way, should one of my buddies do something stupid, like install some web application and then not update it when a security flaw is found - any hackers trying to exploit that vulnerbility will only be able to hack that Virtual Machine with the vulnerbility; whereby protecting the integrity of the rest of the network such as the VMware physical HOSTS, iSCSI SAN, LAN access to the firewall - etc...
Taking my paranoia one step further, and this may be a question for the VMware forum, but I would like to figure out a way to separate each Virtual Machine as well? Again where if a Virtual Machine is compromised, any other Virtual Machines will be invisible to the compromised machine.
I think what I am looking for is possibly some sort of DMZ setup possibly utilizing VLANS? But I have no clue of how to set this all up to work with pfSense? I am hoping you guys can maybe walk me through the setup? I don't necessarily need to be spoon fed --- but I am not saying I wouldn't appreciate that!
Here is a breakdown of my hardware:
pfSense Machine (it may be overkill, but I don't mind):
Dual Intel XEON 2.8Ghz
4GB RAM
1 Fast Ethernet RJ45
2 Intel Pro 1000 Gig-E RJ45VMWare Physical Hosts:
Dual Intel XEON 3.0GHZ
12 GB RAM
1 Fast Ethernet RJ45
2 Intel Pro 1000 Gig-E RJ45iSCSI SAN:
OPENFILER
Dual Opteron 248
4GB RAM
2 Intel Pro 1000MT Gig-E RJ45
2 Broadcom Gig-E RJ45
1 Fast Ethernet RJ45I have a pretty nice "budget" switch, an HP Procurve 1800-24G which supports VLANS so maybe I could use VLANS to segregate the networks??? Although I have VERY limited (READ ZERO) knowledge when it comes to VLANS. Maybe 1 VLAN for management network (VMWare Physical Hosts, Licensing Server, pfSense GUI) , a 2nd VLAN for iSCSI traffic, and then separate VLANS for each Virtual Machine???
If that isn't good enough, I would also be open to purchasing another switch or two to ensure that I have protected my networks... (any budget switch reccomendations are appreciated )
I could really use some help figuring this all out, and If I am thinking about this in the wrong way PLEASE let me know. ( You won't hurt my feelings :D )
-
For those that don't like to read long posts ;D…
Will this work? Do I need 3 separate switches or can I accomplish this with 1 switch and VLANs???
LINK: http://www.gliffy.com/pubdoc/1608095/L.jpg
-
A quick view indicate that 1 vlan switch would work.
http://pfsense.site88.net/mysetup/index.html wink guide on vlanOn esx/esxi you can set vlanid to 4095 so tagget traffic can be used (search in forum)
a good read http://doc.m0n0.ch/handbook-single/#id11642774
-
On esx/esxi you can set vlanid to 4095 so tagget traffic can be used (search in forum)
So I am still new to the world of VLANs - I know "tagged" has something to do with VLANs but I don't exactly understand what you mean by this? Any chance you could elaborate a little bit? I am currently reading the "monowall handbook" you linked.
thanks.
-
http://forum.pfsense.org/index.php/topic,7011.0.html
found with a search in Virtualization installations and techniques
search word vlan