ESXi + VLANS + DMZ + SIEM + Advice Please

  • Ok so grab a beer or a refreshing drink and have a read, slightly longish post…. advice needed.
    I've always had an interest in security and im trying to make my home as secure as possible with what i have.

    This is basically what my network looks like.

    1 - Subnet for LAN
    2 - Subnet for DMZ
    3 - Subnet for OpenVPN
    4 - Subnet for IoT-DMZ

    I've had 1,2,3 setup as is for a while. 4 i have just created. But it got me thinking about VLAN'S.
    I know what they are for but never really needed to set them up, but thought i would try and have a go and learn something new.

    Ok so they are all on different subnets. I have firewall rules are in place to not allow DMZ to talk to LAN or other DMZ or OpenVPN, it can only go back out to the WAN, even then i am only allowing port external 22 NATTED to DMZ honeypot port 2222.

    Here is what can access what …

    DMZ --> WAN only no LAN access or any other
    IoT-DMZ -> WAN only no LAN access or any other
    OpenVpn -> LAN only, no DMZ's or any other
    LAN -> OpenVpn, DMZ, IoT-DMZ

    So ive started to think about VLANS.
    On my ESXi server, i just today added VLANS to the vSwitches for DMZ and IoT-DMZ
    I have a SPAN VLAN that was used to allow all traffic that passes to go to the SIEM that i used to have virtualised, but i now have a physical box running a SIEM. I have a managed switch and have setup a SPAN port on that, so all traffic that goes down the WAN interface gets copied to the SIEM.

    So DMZ has a honeypot VM , so all vitalised in ESXi.

    IoT-DMZ is empty but will have eventually have a NEST thermostat other IoT stuff eventually i guess etc…

    LAN has my SIEM, CCTV server, IPCAM's, Desktops, Laptops, Wireless Devices (mobile, tablets etc..)
    for me to access CCTV from internet, i VPN home and then check the IPCAM's from there, not opening up IPCAM to internet.

    So now i am thinking, ok... on the PfSense box i need to assign the VLANs to the devices...right?

    I have yet to assign a VLAN 10 to the LAN on the ESXi as im thinking i dont need to, just need to VLAN all the other stuff right?

    Am i heading in the right direction here, or am i doing some misconfiguration ?

    I have still not setup any VLANS on the managed switch as all the equipment there is LAN, all the DMZ stuff at the moment is virtual in the ESXi server.

    But when the IoT devices come along i will want a separate wifi than will go in the IoT-DMZ. So on the physical managed switch i will need to plug in the AP and assign it a VLAN 40 to match the others right and keep them separated from my LAN…

    but still want to be able to monitor it from the SIEM perspective ...

    Can someone let me know thoughts on this and if i am going about this all wrong or not ?

    And when i get the IoT-DMZ wireless AP connected, and setup a 2nd DHCP scope for the IoT-DMZ using the different subnet, assuming VLAN'd correctly this will allow the DHCP scope to work too, right?

  • I don't understand what you are doing currently. It looks like you are using VLAN tagging , but it isn't really doing anything. I also don't think your SPAN port is seeing anything other than LAN traffic (is that what you want?)

    Here's what I'd do:

    Keep your WAN vSwitch setup the way it is.

    Create one vSwitch and attach the ESXi LAN to it.

    Create portgroups on that vSwitch for each VLAN.

    Create the pfsense virtual with 4 vNICS - WAN, DMZ, IoT, and LAN. Connect each to the appropriate vSwitch portgroup.

    Configure your switch to do VLANs. Make the link to the ESXi box a trunk. Pick an unused VLAN as the default (or native in Cisco terms) VLAN. It should default to VLAN 1 for this which is OK since you aren't using VLAN 1.

    Configure your other switch ports as access ports to the appropriate VLAN: LAN devices on VLAN 10, IoT APs on VLAN 40.

  • The span port used to have a siem there, but it has since been removed, and now the SPAN has been removed.
    I'm SPANNING on the physical switch to mirror all the WAN traffic to the SIEM so that part can be removed now.

    At the moment, VLAN isnt really doing much as i am just starting to set it up, but not sure if im better off just subnetting for now and look a VLANNing in the future if the network gets a bit more busy.
    Or have the DMZ and use the VLAN to seperate it out more in there, so i can have a DMZ with a VLAN for honeypots, a VLAN for XXX and a VLAN for XXX all in the DMZ zone.

Log in to reply