Quanta LB6M (10GbE) -- Discussion

[PGlover]

1. Do I really need a separate Juniper EX3300-24T switch for the DMZ zone? Can I just use the DMZ vlan on the core switch? The goal is to have virtual servers running in the DMZ and maybe up to 4 physical servers.
2. How will the LAN network talk to vlan 10, 20. and 30 on the core switch? I understand how the LAN network with talk to vlan 1 on the core switch because of the direct 10G connection to the vlan 1 port.
3. How will vlan 1, 10, 20, and 30 talk to each other on the core switch (Quanta LB6M)?

Also I am still fuzzy on how pfsense will do the DMZ traffic routing and filtering.

Thanks for all the comments so far...

After doing some research last night, I think I have the answers to the questions I posted yesterday.
1. If I use a Layer 3 switch for the DMZ zone, I can now do all my inter-Vlan routing using the Layer 3 switch. The pfsense router will be used to filter traffic (firewall rules) between the DMZ and the internal network zone and to route traffic to the internet.
2. Because the core switch is a Layer 2 switch, inter-vlan communication must be done by a Layer 3 switch or a router.
3. The Layer 2 switch (switch) and Layer 3 switch (edge/access) will communicate to each other over a trunk port. I need to create the same Vlans that is created on the Layer 2 core switch on the Layer 3 switch as well.

Here is an updated layout. Please provide feedback and comments on how to improve or simplify the design.

 

[MathieuP]

After doing some research last night, I think I have the answers to the questions I posted yesterday.
1. If I use a Layer 3 switch for the DMZ zone, I can now do all my inter-Vlan routing using the Layer 3 switch. The pfsense router will be used to filter traffic (firewall rules) between the DMZ and the internal network zone and to route traffic to the internet.
2. Because the core switch is a Layer 2 switch, inter-vlan communication must be done by a Layer 3 switch or a router.
3. The Layer 2 switch (switch) and Layer 3 switch (edge/access) will communicate to each other over a trunk port. I need to create the same Vlans that is created on the Layer 2 core switch on the Layer 3 switch as well.

Here is an updated layout. Please provide feedback and comments on how to improve or simplify the design.

hi there,
i would say that i prefer your 1st diagram. in the second one, it appears you are bringing VLAN10, VLAN20 and VLAN99 across into your DMZ. It looks like those vlans are spread across to your internal switches as well.

my take based on your design, is that you appear to want to isolate your DMZ from your internal network (physically with a switch and logically with a vlan) but you are still bringing what i would consider secure vlans back in that switch.

also, depending on how everything interacts with at the pfsense level on the layer2, you might have some inconsistencies with spanning-tree bleeding on your watchguard causing a loop. (are the ports on the watchguard actual nics or is it a weirdo switch with some kernel mode packet handing?)

to simplify it, i would connect your DMZ switch directly to the watchguard bypassing the LB6M so in the event of a compromised service, the only way back out of through your firewall and not bridging through a management interface somewhere.

hope this helps.

 

[PGlover]

I am trying to share my hypervisor and SAN server infrastructure in the DMZ and internal LAN zone.. I only have 1 hypervisor and SAN server. Any suggestions on how to do that while still maintaining a high degree of security between the 2 zones.

 

[MathieuP]

I am trying to share my hypervisor and SAN server infrastructure in the DMZ and internal LAN zone.. I only have 1 hypervisor and SAN server. Any suggestions on how to do that while still maintaining a high degree of security between the 2 zones.

i'm not sure why you would want to share your SAN in your DMZ. maybe i'm not getting the full picture in my head but hey.. its 8 here and i still havent drank a full cup of black liquid gold so..

i have a similar setup here, i have a couple of hosts (vmware) that have a dedicated network card connected to my DMZ switches. Resources (VM) running on the hypervisor are running on the SAN itself but their network payload connection is residing in the DMZ. If what you want is share files between different resources in your DMZ, i will suggest you create a small vm with a large enough virtual disk to share stuff in your DMZ. that way you have maximum isolation between your internal and dmz network.

my rule of thumb is that i like to have my DMZ both physically and logically isolated from everything else. dedicated network adapter, dedicated switch. lets just say that i had a bad experience. we had vendor equipement literally bridge the management nic and the payload nic. (one in DMZ, one in mgmt network). didn't take long for that box to be compromised as it was also using very weak passwords (hardcoded dev passwords). that appliance is now a 50,000$ coffee heater..

 

[PGlover]

i'm not sure why you would want to share your SAN in your DMZ. maybe i'm not getting the full picture in my head but hey.. its 8 here and i still havent drank a full cup of black liquid gold so..

i have a similar setup here, i have a couple of hosts (vmware) that have a dedicated network card connected to my DMZ switches. Resources (VM) running on the hypervisor are running on the SAN itself but their network payload connection is residing in the DMZ. If what you want is share files between different resources in your DMZ, i will suggest you create a small vm with a large enough virtual disk to share stuff in your DMZ. that way you have maximum isolation between your internal and dmz network.

my rule of thumb is that i like to have my DMZ both physically and logically isolated from everything else. dedicated network adapter, dedicated switch. lets just say that i had a bad experience. we had vendor equipement literally bridge the management nic and the payload nic. (one in DMZ, one in mgmt network). didn't take long for that box to be compromised as it was also using very weak passwords (hardcoded dev passwords). that appliance is now a 50,000$ coffee heater..

After reading your post in more detail, I agree with your comments about not sharing the SAN in the DMZ zone. With that being said, 1 only have 1 hypervisor server. To create VMs in the DMZ zone, will I need a dedicated 10G NIC connected to the DMZ switch as well? If that is true, then the hypervisor server will be connected directly to the core switch (LB6M) and the DMZ switch. Is there some risk in doing that?

Is it possible for you to post a high level drawing?

Thanks for the feedback.

 

[MathieuP]

After reading your post in more detail, I agree with your comments about not sharing the SAN in the DMZ zone. With that being said, 1 only have 1 hypervisor server. To create VMs in the DMZ zone, will I need a dedicated 10G NIC connected to the DMZ switch as well? If that is true, then the hypervisor server will be connected directly to the core switch (LB6M) and the DMZ switch. Is there some risk in doing that?

Is it possible for you to post a high level drawing?

Thanks for the feedback.

sure, let me see what i can do with my mad mspaint skillz

in the meantime, i'm assuming the routing between your dmz and internal LAN is done by your watchguard/pfsense right?

then you will at best route 7-800mbits/sec between internal and DMZ so IMHO, no need for a 10gig connection here, so i don't believe you need to have your hypervisor connected at 10gig in the DMZ. i would take 1 of our mgmt 1gig connection (i don't see the need for the 2 gig if they are connected to the same switch, unless you want cable redundancy?) and connect that 1gig to the DMZ switch, and in turn connect the DMZ switch directly on the watchguard.

hope this helps,

 

[PGlover]

sure, let me see what i can do with my mad mspaint skillz

in the meantime, i'm assuming the routing between your dmz and internal LAN is done by your watchguard/pfsense right?

then you will at best route 7-800mbits/sec between internal and DMZ so IMHO, no need for a 10gig connection here, so i don't believe you need to have your hypervisor connected at 10gig in the DMZ. i would take 1 of our mgmt 1gig connection (i don't see the need for the 2 gig if they are connected to the same switch, unless you want cable redundancy?) and connect that 1gig to the DMZ switch, and in turn connect the DMZ switch directly on the watchguard.

hope this helps,

Yes. Routing between the DMZ and internal LAN will be done by Pfsense.

 

[MathieuP]

Yes. Routing between the DMZ and internal LAN will be done by Pfsense.

well, mspaint may not be appropriate for network diagrams but that is all i have atm..

assuming a Dell R630 network connection with 2x 1gig and 2x10gig, (+1x 100mb/1gig for idrac),

2x10gig to your LB6M/Core
1x1gig to one 3300 (Lan)
1x1gig to another 3300 (DMZ)
1xidrac to one 3300 (mgmt)

1x 3300 (DMZ) wired directly to the watchguard, everything else makes super sense.

the thinking behind is that because you are limited in routing power between your dmz and your internal lan, it doesn't make sense to use anything more than a gig connection to your watchguard. (unless i am grossly mistaken and that you can route ~10gbps on the watchguard, i know i coudn't on the one i had and i can barely break the 800mbps limit on a dual xeon with pci-x nics)

let me know if you have questions, have a great day!

 

[PGlover]

MathieuP... Thank you so much for being patience with me.

Just curious about the 1gig connections to the 3300 (Lan). Here are my assumptions as it relates to Dell R630 Hypervisor server:

1xidrac to 3300(Lan) for Dell Server management
1x1gig to 3300(Lan) for Hypervisor Management

From your post, it looks like you have 1 more 1gig connection to the 3300(Lan) switch. Please confirm.

 

[MathieuP]

MathieuP... Thank you so much for being patience with me.

Just curious about the 1gig connections to the 3300 (Lan). Here are my assumptions as it relates to Dell R630 Hypervisor server:

1xidrac to 3300(Lan) for Dell Server management
1x1gig to 3300(Lan) for Hypervisor Management

From your post, it looks like you have 1 more 1gig connection to the 3300(Lan) switch. Please confirm.

sorry i forgot to put it on the diagram,

technically behind your R630 you should have 1x idrac (left most), 2x 1gb and 2x sfp+ (10gig)

so the idrac shoud be wired to your lan switch, 1 of the 2 gig connection wired to the lan switch (for hypervisor management) and the other one to the DMZ. then you would have your 2 10gig wired to the Lb6m carrying all your VM payload.

 

[PGlover]

sorry i forgot to put it on the diagram,

technically behind your R630 you should have 1x idrac (left most), 2x 1gb and 2x sfp+ (10gig)

so the idrac shoud be wired to your lan switch, 1 of the 2 gig connection wired to the lan switch (for hypervisor management) and the other one to the DMZ. then you would have your 2 10gig wired to the Lb6m carrying all your VM payload.

Got it.. Thanks.... That clears up the Hypervisor connection to the 3300 (Lan)..

 

[MathieuP]

Got it.. Thanks....

here is a diagram of my home network, networking wise. i have simplified the server connection but they are 4x HP DL380 G6 with 4 gig nics in each + 1gig for IPMI (iLO) at each site.

most of the storage is local, except 1 380 has an MSA70 attached to it.

 

[PGlover]

assuming a Dell R630 network connection with 2x 1gig and 2x10gig, (+1x 100mb/1gig for idrac),

QUOTE]

Actually the Dell R630 has 4x10gig connection. So, can I use a 2x10gig to the 3300 (DMZ) rather than a 1x1gig connection?

 

[MathieuP]

sure, if you have 4 10gig, then 2 10gig to LAN, and 2 10gig to DMZ. or 3x10gig to LAN and 1 10gig to dmz.

at this point the connection to the DMZ doesn't really matter as you only have less than 1gbps to the "outside" world.

 

[PGlover]

sure, if you have 4 10gig, then 2 10gig to LAN, and 2 10gig to DMZ. or 3x10gig to LAN and 1 10gig to dmz.

at this point the connection to the DMZ doesn't really matter as you only have less than 1gbps to the "outside" world.

Thank you so much.. I will post an updated drawing later tonight.

 

[PGlover]

MathieuP... Here is an updated diagram. So the hypervisor server crosses the DMZ and Internal LAN zones. Is there any risk that my internal network could be breached with having the hypervisor server connected to the DMZ and Internal network?

 

[MathieuP]

that is how i would connect it.

the risk of having your lan compromised because you bridge your hypervisor between your dmz and your lan is low, in my opinion.

i believe most sysadmin/network admin connect their system the same, at least that is how i connect mine, and how my friends do as well.

good luck! and most importantly, have fun!

 

[Drewy]

"the risk of having your lan compromised because you bridge your hypervisor between your dmz and your lan is low"

it happens... Explo-Xen! Bunker buster bug breaks out guests from hypervisor

 

[MathieuP]

"the risk of having your lan compromised because you bridge your hypervisor between your dmz and your lan is low"

it happens... Explo-Xen! Bunker buster bug breaks out guests from hypervisor

yes it will happens for sure. bugs will be bugs. hackers will be hackers.

even computers not connected to each other can be hacked.
Researchers Hack Air-Gapped Computer With Simple Cell Phone

/me put tinfoil hat on and hide under desk

 

[aero]

If you were super serious about security you would not dual-home a server to dmz + internal, regardless of what it is running (hypervisor or baremetal, etc.). However, that could mean needing another server dedicated to the DMZ, which maybe isn't worth it. Security is always a compromise against cost, complexity, and ease of use.....until that security saves your proverbial bacon and then it was well worth it!