Help me not get hacked :) How to secure / segment my network???

  • I just scored some COLO space and want to start a small webhost for me and my buddies… I don't know where to begin but I have an idea of what I want and am hoping you guys can give me some direction... Some of this might be out of the scope of pfSense help, but I figure some still may be savvy with my setup and can give me some pointers with VMWare networking as well?

    In a nutshell, I want to use pfSense as my Firewall/Gateway, handling and protecting the communication between my public IPs and servers.  My network will consist of 6 physical servers (HOSTS) all running VMWare ESX/ESXi in a cluster/failover type setup.  On these 6 VMWare Hosts I will have several Virtual Machines which will be the actual web servers (accessible by the public IPs).   HOWEVER I would like to figure out how to make my setup as secure as possible...

    I would like to figure out how to setup a management network... This network would be separate/hidden from the VMs... This way, should one of my buddies do something stupid, like install some web application and then not update it when a security flaw is found - any hackers trying to exploit that vulnerbility will only be able to hack that Virtual Machine with the vulnerbility; whereby protecting the integrity  of the rest of the network such as the VMware physical HOSTS,  iSCSI SAN, LAN access to the firewall - etc...

    Taking my paranoia one step further, and this may be a question for the VMware forum, but I would like to figure out a way to separate each Virtual Machine as well?  Again where if a Virtual Machine is compromised, any other Virtual Machines will be invisible to the compromised machine.

    I think what I am looking for is possibly some sort of DMZ setup possibly utilizing VLANS?  But I have no clue of how to set this all up to work with pfSense?  I am hoping you guys can maybe walk me through the setup?  I don't necessarily need to be spoon fed --- but I am not saying I wouldn't appreciate that!

    Here is a breakdown of my hardware:

    pfSense Machine (it may be overkill, but I don't mind):

    Dual Intel XEON 2.8Ghz
    4GB RAM
    1 Fast Ethernet RJ45
    2 Intel Pro 1000 Gig-E RJ45

    VMWare Physical Hosts:

    Dual Intel XEON 3.0GHZ
    12 GB RAM
    1 Fast Ethernet RJ45
    2 Intel Pro 1000 Gig-E RJ45

    iSCSI SAN:
    Dual Opteron 248
    4GB RAM
    2 Intel Pro 1000MT  Gig-E RJ45
    2 Broadcom Gig-E RJ45
    1 Fast Ethernet RJ45

    I have a pretty nice "budget" switch, an HP Procurve 1800-24G which supports VLANS so maybe I could use VLANS to segregate the networks???  Although I have VERY limited (READ ZERO) knowledge when it comes to VLANS.   Maybe 1 VLAN for management network (VMWare Physical Hosts, Licensing Server, pfSense GUI) , a 2nd VLAN for iSCSI traffic, and then separate VLANS for each Virtual Machine???

    If that isn't good enough, I would also be open to purchasing another switch or two to ensure that I have protected my networks...  (any budget switch reccomendations are appreciated )

    I could really use some help figuring this all out, and If I am thinking about this in the wrong way PLEASE let me know. ( You won't hurt my feelings  :D )

  • For those that don't like to read long posts  ;D…

    Will this work?  Do I need 3 separate switches or can I accomplish this with 1 switch and VLANs???


  • A quick view indicate that 1 vlan switch would work. wink guide on vlan

    On esx/esxi you can set vlanid to 4095 so tagget traffic can be used (search in forum)

    a good read

  • On esx/esxi you can set vlanid to 4095 so tagget traffic can be used (search in forum)

    So I am still new to the world of VLANs - I know "tagged" has something to do with VLANs but I don't exactly understand what you mean by this?  Any chance you could elaborate a little bit?  I am currently reading the "monowall handbook" you linked.


    found with a search in Virtualization installations and techniques
    search word vlan

Log in to reply