Lock down host machine interface

  • Hi!

    Ive got a physical Pfsense box with 4 NICs (WAN, LAN, DMZ, WLAN) and behind my fw on the LAN i have a Vmware server hosting a few virtual machines.
    I want to do the following: Connect my DMZ iface on the firewall to a new NIC on the Vmware host so that i can separate virtual machines from the LAN and put them directly on the DMZ.

    Im having one concern with this setup and that is that my host machine will also be accessible from the DMZ network and that puts all the virtual machines along with the whole LAN at risk aswell.

    So im wondering if anybody has a similar setup and if there is a way to "lock down" the interface on the host machine so that its not possible to access it at all ?

    Any help will be much appreciated!

  • Hi

    I am running a similar setup with a VMware server running some guest servers on a dedicated NIC in a DMZ zone.
    If you are running VMware ESX you can disable the management interface from being accessibly on the DMZ NIC in the VMware Host. This is done on the host console in the Networking section.

    The internal security of an ESX host server is generally considered secure enough to split guest servers between zones on your firewall. VMware do not recommend it even though they say there are no known security vulnerabilities.

    I recently quizzed the security manager of a large financial institution who has a large VMware deplyment. He was happy mixing DMZ and LAN servers on the same ESX Host.

    Hope that helps?

  • Thank you for the reply Gob!

    I did forget to mention that im running Vmware Server ontop of a debian installation(ESX/ESXi doesnt support my hw:( ) but i guess i would go about it the same way. This isnt really related to Pfsense but does anyone know how to lock down an interface on a Vmware host running Debian ? People running Pfsense virtually should have some knowledge about this i guess ?

    Thank you!

Log in to reply