1. My Virtual Firewallby Brian Drew Last time I shared my home vSphere environment that I use to test and train on. I got a lot of positive feedback and wanted to follow up with my virtual firewall configuration. Prior to implementation I had a Comcast cable modem and Windows firewall on each PC. That was the extent of it and I knew better. I needed something stronger.
2. Overview Before and After Physical and Logical Components Next Steps Agenda As always the information contained within is not meant to be an exhaustive how-to manual but rather represent what I used to build a secure network using my virtual lab. I used IPCOP, an Open Source solution, on a virtual machine. The only “stickler” is the network config but that is easy too. The end-result is a decent, dedicated firewall and a little extra learning to boot.
3. I feel good about the IPCOP solution. I might give Microsoft Forefront Threat Management Gateway a try when I get some free time but for now I’m satisfied. I thought it worth showing before and after pics to get the overall jist of things. This is the BEFORE….. Overview
4. After - Physical By using that 3rd NIC in each HP ProliantMicroServer I was able to create the required environment. Caveat – notice the un-used on-board NIC on the other ESXi host.
5. In vSphere the networking looks like this on both hosts. I did not use vDS this first time around. Notice the ipcop VM is on 2 virtual switches The corresponding physical connections are then made After - logical
6. The ipcop server is set as the default gateway now for all devices on that LAN segment. All packets must go through the firewall inbound and outbound. Security is now up to the configuration of ipcop. To me that is a LOT better than having individual firewalls on each and virtual machine. Make sure to turn them all off if you go this route. You still need anti-virus. It’s beautiful
7. Go through icop documents and button things up if desired Other services that can be enabled include DHCP, NTP and Intrusion Detection – all are already “in the box” waiting to be enabled. I use all the services now – point ESXi servers at it for NTP. The Intrusion Detection is particularly interesting. Back to that unused network port. Regretfully, since I don’t have sophisticated equipment at home, when a ESXi host failure occurs, I need to move the cross-over cable to the other, live ESXi host. Everything else will take care of itself. THE END Next Steps