none
Virtual Network setup with third party hosted Server?

    Soru

  • I've got a dedicated server sitting out there in the wild with a hosting company.  On the host is hyperv and two guest operating systems.

    Initially I thought about setting up some type of DMZ setup with their Juniper firewall.. but it appears since its a managed firewall they don't support MIP or transparency.

    This hyperV server would host a guest that has IIS for web hosting and another box with sql server 2012.

    So initially i configured both boxes (vsiisdedi01 and vssqldedi01) with the private network switch, so only they can communicate with each other.

    I also configured the external switch to give the iis box a nic that has a public ip address.

    Of course, ill also need access to the internet on the sql box for windows updates too.

    As of now I cant even get the IIS box to communicate with the internet, despite adding a publicly assigned ip (though i think its dns/gateway wrong info related)...

    What are the typical best practices here for a 3rd party hosted server like this, given my limitations?  I guess a dmz is overkill, as its an internet based service anyway i suppose..

    I saw one note that seemed to show installing the RRAS service on the host and enabling NAT to the vm's, which both would Only have a private lan configured?  As of now the hosting provider only has one of the two nics on the host connected to the firewall/switch, I know this falls short of the typical 2 nics for best practices on the host.

    Any tips or suggestions here would be great.

    Thanks


    Tech, the Universe, Everything: http://tech-stew.com


    • Düzenleyen techfun89 19 Haziran 2012 Salı 15:54
    19 Haziran 2012 Salı 15:52

Yanıtlar

  • Technically this places your SQL Server into a physical DMZ.  You don't need a firewall to build a DMZ, it is just an isolation chamber.

    The way to take this father is to set up IPSec rules between the two VMs.  So the SQL server can only talk to the IIS Server, and the IIS Server can only talk to the SQL server over the SQL port.  This is part of hardening an OS when you put it out in the wild like this.  (I did a lot of this when I managed the web servers for a financial institution - port blocking, IPSec rules, firewall rules - followed by a penetration test probe).

    A Private Virtual Switch is between VMs only.  The Host cannot be on it.  It is designed for VMs to increase security and isolation.

    Beyond that, what you desire is what you desire.  I don't see the need to have constant contact with Windows Update.  It increases the time you need to touch the VM, but if you take the time to lock it down you have a much higher degree of safety while it is running.  Just manage the connection and patch it up on a regular / scheduled basis.


    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

    20 Haziran 2012 Çarşamba 16:12
    Moderatör

Tüm Yanıtlar

  • I should say, that i have at least got the internet/public ip connectivity working on the IIS box, so that leaves the issue of connecting to the internet on SQL.. short of adding another public ip and external nic on the sql vm (or using RRAS on the host with nat to the sql box?).. if these techniques are considered typical practice.

    Tech, the Universe, Everything: http://tech-stew.com

    19 Haziran 2012 Salı 16:03
  • Initially, I would say to do the old fashoned physical isolation model.

    Public -> Enternal Virutal Switch -> IIS Server VM -> Private Virtual Switch -> SQL VM.

    And, as you state, the hitch is the updating.

    Depending on how your hosting provider allows you access out from the VM, you might be able to attach the SQL server to the External Virutal Switch only to check for and download updates, and leave it unattached (and isolated behind your IIS VM) the rest of the time.

    The SQL Server could be multi-homed, with two vNICs but not attached all the time to the public side.

    JUst make sure that you multi-home properly.  Setting your routes and gateways properly.

    It is a very old isolated networking model, one that I did all the time back in the NT days.  Before folks could afford switches and routers with VLANs.

    Also, the common model is to firewall traffic incomming, not outgoing.  You just need an IP for that.


    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

    19 Haziran 2012 Salı 16:32
    Moderatör
  • Initially, I would say to do the old fashoned physical isolation model.

    Public -> Enternal Virutal Switch -> IIS Server VM -> Private Virtual Switch -> SQL VM.

    And, as you state, the hitch is the updating.

    Depending on how your hosting provider allows you access out from the VM, you might be able to attach the SQL server to the External Virutal Switch only to check for and download updates, and leave it unattached (and isolated behind your IIS VM) the rest of the time.

    The SQL Server could be multi-homed, with two vNICs but not attached all the time to the public side.

    JUst make sure that you multi-home properly.  Setting your routes and gateways properly.

    It is a very old isolated networking model, one that I did all the time back in the NT days.  Before folks could afford switches and routers with VLANs.

    Also, the common model is to firewall traffic incomming, not outgoing.  You just need an IP for that.


    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

    \  Thats pretty much what I ended up doing at this point.. since I cant do much with that firewall.  This isnt truly isolated though right?  At least not from a DMZ type standpoint?

    Is setting the private lan switch to not allow communication with the host typical for most people, is this what they are doing? I think i have the external one to not communicate as well.

    Wouldnt another method for the windows updates be, I could setup a WSUS service on another virtual box with an external connection (and private one) then have all the boxes get their updates from that machine (I'd have to manually set the policy on each box, since i dont have a domain on this offsite system).


    Tech, the Universe, Everything: http://tech-stew.com

    20 Haziran 2012 Çarşamba 16:01
  • Technically this places your SQL Server into a physical DMZ.  You don't need a firewall to build a DMZ, it is just an isolation chamber.

    The way to take this father is to set up IPSec rules between the two VMs.  So the SQL server can only talk to the IIS Server, and the IIS Server can only talk to the SQL server over the SQL port.  This is part of hardening an OS when you put it out in the wild like this.  (I did a lot of this when I managed the web servers for a financial institution - port blocking, IPSec rules, firewall rules - followed by a penetration test probe).

    A Private Virtual Switch is between VMs only.  The Host cannot be on it.  It is designed for VMs to increase security and isolation.

    Beyond that, what you desire is what you desire.  I don't see the need to have constant contact with Windows Update.  It increases the time you need to touch the VM, but if you take the time to lock it down you have a much higher degree of safety while it is running.  Just manage the connection and patch it up on a regular / scheduled basis.


    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

    20 Haziran 2012 Çarşamba 16:12
    Moderatör