2nd NIC for DMZ?

[fluppy]

I have a NIC with dual 10gig sfp+ ports that I use for my main VM bridge. This works as intended with all my vlans etc.

I have a few VMs that would ideally be in the DMZ, am I right to assume that to achieve this I would have to get a 2nd NIC and patch it do a DMZ port on my firewall?

As a second question, is there any real benefit of a DMZ that a VLAN with very tight firewall rules?

 

[Dunuin]

I have a NIC with dual 10gig sfp+ ports that I use for my main VM bridge. This works as intended with all my vlans etc.

I have a few VMs that would ideally be in the DMZ, am I right to assume that to achieve this I would have to get a 2nd NIC and patch it do a DMZ port on my firewall?

You could use tagged VLANs if your Switch supports this. Then you don't need an additional NIC for your DMZ.

As a second question, is there any real benefit of a DMZ that a VLAN with very tight firewall rules?

More isolation is always more secure.

 

[fluppy]

Right so I already have multiple VLANs setup and all my VMs are on different VLANs.

What I can't get my head around is how to associate a VLAN with the DMZ

 

[Spoonman2002]

VLAN and DMZ are not the same, although they have the "isolation" feature in common.
VLAN hopping is a security thing. And if you configure VLANs incorrect it's also a security risk.
DMZ is an isolated port/subnet and can not reach your regular network when hacked.

 

[fluppy]

Let's say I got a webserver on the DMZ, how is it more secure if there are firewall rules for access to the web server from the internal network? I guess if the rules are one way then a hacker who might have gotten shell access on a server can't really do much?

 

[fluppy]

Also would the DMZ make sense if instead of using a separate NIC directly plugged into a DMZ port on the firewall, I instead plugged in one of the switch ports to the dmz, and trunked a VLAN on the DMZ interface to Proxmox on the same bridge as my other VLANs?

 

[Spoonman2002]

Also would the DMZ make sense if instead of using a separate NIC directly plugged into a DMZ port on the firewall, I instead plugged in one of the switch ports to the dmz, and trunked a VLAN on the DMZ interface to Proxmox on the same bridge as my other VLANs?

I'm no network expert or guru, but letting DMZ traffic go through a trunk port and into your regular network (even with VLANs)
is a bad idea...
But that's my opinion. Google is your friend.

 

[Dunuin]

I'm no network expert or guru, but letting DMZ traffic go through a trunk port and into your regular network (even with VLANs)
is a bad idea...
But that's my opinion. Google is your friend.

VLANs add another attack vector, thats true. If you don't trust the isolation of VLANs you would need to buy dedicated NICs for each machine accessing that DMZ and also a dedicated switch for your DMZ. So a true isolated physical second network. Depends on what you are willing to spend.
For a homelab I'm totally fine with VLANs. You can force VMs to only be able to access a single VLAN from the PVE node, so a hacked guestOS shouldn't be easily able to break out of that VLAN without having access to the PVE node or managed switches management. So still better to isolate your DMZ in a VLAN than not having a DMZ at all.

 

[Spoonman2002]

My firewall box has 3 nics, one reserved for dmz.
All my Proxmox hosts have 2 nics onboard.
I don’t have the need for a dmz, so I only use vlans.