« How Google Serves Data from Multiple Datacenters | Main | Dependency Injection and AOP frameworks for .NET »
Thursday
Aug202009

VMware to bridge a DMZ.  

Hey guys,

There is a renewed push at my organization to deploy vmware...everywhere.

I am rather excited as I know we have a lot of waste when it comes to resources.

What has pricked my ears up however, is the notion of using this technology in our very busy public facing DMZ's.

Today we get lots of spikes of traffic and we are coping very well. 40x HP blades, apache/php/perl/tomcat/ all in HA behind HA F5's and HA Checkpoint FW's. (20 servers in 2 datacentres).

The idea is, we virtualise these machines, including the firewalls onto hosts vmware clusters that span the public interface to our internal networks. This is something that has gone against the #1 rule I have ever lived by while working on the inet. No airgaps from the unknown to the known!

I am interested in feedback on this scenario.

From a resource perspective, our resource requirements in the DMZ will be lowered over time due to business change and we still have a lot of head room in our capacity.

Do you think this is change for change sake? All I can see is more complexity, higher risk and more skill required to manage what today is a very simple and resilient setup with no security flaws.

VMware and some big name companies/gov agencies stand by the notion the software dividing the host machine is more than capable are keeping the DMZ's in check. It just doesn't sit well with me, knowing we may have a public facing website on the same host machine which is running a critical safety or customer management tool.

Apart from the ease of management to grow/shrink (something we don't need todo in any rush), what are the advantages to increase risk and complexity?

Are any of you in the same position?

Costs wise - our website costs are minuscule compared to the revenue we generate thru them - Would you risk what is a sound and stable environment because it sounds cool to 'virtualise' or is there something I am missing?

Kind regards,
Foodie

ps. I don't post much on here but I love reading your articles. The website I am referring to in my post hits a peak of $250/second and is responsible for 90% of revenue to the business.

Reader Comments (1)

Rather than convert/move all yout infraestructure into VMWare, I would try first to change one real server into one VMWare server. For example, one of those 40x Blade's makes a good target to start with.
After that, you should measure the impact in terms of resource and efficiency.

Only, if you see it's affordable or you are ok with the change results, you could start change the rest of the servers 1 by 1.

I wouldn't do it on every level in a rush, I would do it in every servers update or expand but, as you mentioned, it seems you will not do it.

If it's stable, you shouldn't touch it... but if you (or your organization) think that changing into VMWare should reduce any manteniance costs, go and try.

December 31, 1999 | Unregistered CommenterRelay

PostPost a New Comment

Enter your information below to add a new comment.
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>