Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help me not get hacked :) How to secure / segment my network???

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sierradump
      last edited by

      I just scored some COLO space and want to start a small webhost for me and my buddies… I don't know where to begin but I have an idea of what I want and am hoping you guys can give me some direction... Some of this might be out of the scope of pfSense help, but I figure some still may be savvy with my setup and can give me some pointers with VMWare networking as well?

      In a nutshell, I want to use pfSense as my Firewall/Gateway, handling and protecting the communication between my public IPs and servers.  My network will consist of 6 physical servers (HOSTS) all running VMWare ESX/ESXi in a cluster/failover type setup.  On these 6 VMWare Hosts I will have several Virtual Machines which will be the actual web servers (accessible by the public IPs).   HOWEVER I would like to figure out how to make my setup as secure as possible...

      I would like to figure out how to setup a management network... This network would be separate/hidden from the VMs... This way, should one of my buddies do something stupid, like install some web application and then not update it when a security flaw is found - any hackers trying to exploit that vulnerbility will only be able to hack that Virtual Machine with the vulnerbility; whereby protecting the integrity  of the rest of the network such as the VMware physical HOSTS,  iSCSI SAN, LAN access to the firewall - etc...

      Taking my paranoia one step further, and this may be a question for the VMware forum, but I would like to figure out a way to separate each Virtual Machine as well?  Again where if a Virtual Machine is compromised, any other Virtual Machines will be invisible to the compromised machine.

      I think what I am looking for is possibly some sort of DMZ setup possibly utilizing VLANS?  But I have no clue of how to set this all up to work with pfSense?  I am hoping you guys can maybe walk me through the setup?  I don't necessarily need to be spoon fed --- but I am not saying I wouldn't appreciate that!

      Here is a breakdown of my hardware:

      pfSense Machine (it may be overkill, but I don't mind):

      Dual Intel XEON 2.8Ghz
      4GB RAM
      1 Fast Ethernet RJ45
      2 Intel Pro 1000 Gig-E RJ45

      VMWare Physical Hosts:

      Dual Intel XEON 3.0GHZ
      12 GB RAM
      1 Fast Ethernet RJ45
      2 Intel Pro 1000 Gig-E RJ45

      iSCSI SAN:
      OPENFILER
      Dual Opteron 248
      4GB RAM
      2 Intel Pro 1000MT  Gig-E RJ45
      2 Broadcom Gig-E RJ45
      1 Fast Ethernet RJ45

      I have a pretty nice "budget" switch, an HP Procurve 1800-24G which supports VLANS so maybe I could use VLANS to segregate the networks???  Although I have VERY limited (READ ZERO) knowledge when it comes to VLANS.   Maybe 1 VLAN for management network (VMWare Physical Hosts, Licensing Server, pfSense GUI) , a 2nd VLAN for iSCSI traffic, and then separate VLANS for each Virtual Machine???

      If that isn't good enough, I would also be open to purchasing another switch or two to ensure that I have protected my networks...  (any budget switch reccomendations are appreciated )

      I could really use some help figuring this all out, and If I am thinking about this in the wrong way PLEASE let me know. ( You won't hurt my feelings  :D )

      1 Reply Last reply Reply Quote 0
      • S
        sierradump
        last edited by

        For those that don't like to read long posts  ;D…

        Will this work?  Do I need 3 separate switches or can I accomplish this with 1 switch and VLANs???

        LINK:  http://www.gliffy.com/pubdoc/1608095/L.jpg

        1 Reply Last reply Reply Quote 0
        • P
          Perry
          last edited by

          A quick view indicate that 1 vlan switch would work.
          http://pfsense.site88.net/mysetup/index.html wink guide on vlan

          On esx/esxi you can set vlanid to 4095 so tagget traffic can be used (search in forum)

          a good read http://doc.m0n0.ch/handbook-single/#id11642774

          /Perry
          doc.pfsense.org

          1 Reply Last reply Reply Quote 0
          • S
            sierradump
            last edited by

            On esx/esxi you can set vlanid to 4095 so tagget traffic can be used (search in forum)

            So I am still new to the world of VLANs - I know "tagged" has something to do with VLANs but I don't exactly understand what you mean by this?  Any chance you could elaborate a little bit?  I am currently reading the "monowall handbook" you linked.

            thanks.

            1 Reply Last reply Reply Quote 0
            • P
              Perry
              last edited by

              http://forum.pfsense.org/index.php/topic,7011.0.html
              found with a search in Virtualization installations and techniques
              search word vlan

              /Perry
              doc.pfsense.org

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.