While trying to cook up a way to secure client hosted VM’s I thought of this layout. A Virtual Firewall Appliance that creates an IPsec tunnel back to the client network. Then placing the client virtuals on a dedication vSwitch.
Has anyone tried something like this? I hope that VI4 / vSphere will include a way to make this a reality. I figure a downside of just creating a infrastructure with some kind of m0n0wall appliance is the appliance would need to move from host to host in a DRS/HA cluster. I bet with some scripting and/or affinity rules I might be able to keep them together. It would be good of the new infrastructure would have layer 3 or firewall capability that would exist across the cluster. Then you would not have to worry about vMotioning a virtual firewall around.
Maybe someone has a better way to do this? Am I over thinking it? I would want this best way of assuring clients their data doesn’t mix at any point physical or virtual unless it is in the VPN tunnel.
Do not forget (mostly a note to myself) the Virtualization Security Roundtable.
Would like to help spread the word about the Virtualization Security Roundtable it will take place this Thursday January 15 at 230 EST.
Security topics are outlined in the linked article. I would have to say this is a topic that I really want to master.
We consult with many financial institutions and being quicker on this subject would help me answer some of the objections to VMware. Not only to have the right answer but also be able to solve common problems.
Like always I will not be available for the call this week, but I will put in on my calendar so I can go ahead and listen to it every other week.