Just curious what the best practices are for a DMZ for a SME who might be short on cash? In the past I've gone full segregated network with a separate physical server \ host and air gapped networking infrastructure for externally facing devices.
Looking at a SME who don't really have the money nor resources to do this so I'm thinking about how to go about making it cost effective but still secure.
One option is thinking about configuring a separate on the firewall and assigning it to a dedicated "DMZ" port then having this port patched into the host on a separate nic which only the VMs in the DMZ can use. Then just using firewall rules to set what can and can't talk between the networks. This is one option although not sure this is scaleable if they have more hosts. I wouldn't want to use 2 or 3 ports on the firewall!
Other option is just to create dmz vlan on the firewall and have that going through the existing network infrastructure with ACL \ NO Routing to stop that VLAN talking to anything else then just tagging then on the trunk to the host and creating new DMZ virtual switch just for that VLAN to allow only the externally facing machines. Anything wrong with this if option one isn't a goer? Ideally I'd like to keep it completely separate but is running it over the main network on it's own VLAN secure enough for a SME?
No comments:
Post a Comment