Firewall for internal networks
Posted
by Cylindric
on Server Fault
See other posts from Server Fault
or by Cylindric
Published on 2010-06-03T12:43:55Z
Indexed on
2010/06/03
12:56 UTC
Read the original article
Hit count: 364
I have a virtualised infrastructure here, with separated networks (some physically, some just by VLAN) for iSCSI traffic, VMware management traffic, production traffic, etc.
The recommendations are of course to not allow access from the LAN to the iSCSI network for example, for obvious security and performance reasons, and same between DMZ/LAN, etc.
The problem I have is that in reality, some services do need access across the networks from time to time:
- System monitoring server needs to see the ESX hosts and the SAN for SNMP
- VSphere guest console access needs direct access to the ESX host the VM is running on
- VMware Converter wants access to the ESX host the VM will be created on
- The SAN email notification system wants access to our mail server
Rather than wildly opening up the entire network, I'd like to place a firewall spanning these networks, so I can allow just the access required
For example:
- SAN > SMTP Server for email
- Management > SAN for monitoring via SNMP
- Management > ESX for monitoring via SNMP
- Target Server > ESX for VMConverter
Can someone recommend a free firewall that will allow this kind of thing without too much low-level tinkering of config files?
I've used products such as IPcop before, and it seems to be possible to achieve this using that product if I re-purpose their ideas of "WAN", "WLAN" (the red/green/orange/blue interfaces), but was wondering if there were any other accepted products for this sort of thing.
Thanks.
© Server Fault or respective owner