This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Secure Virtual Machines in DMZ / Firewall

Hello,

i have actual the configuration, that my media server (Win 10 with 1 Gigabit Interface) on eth 3 is in the DMZ with Network 172.16.0.0 /16. The Media Server connect directly to Internet via OpenVPN. From Internal LAN I can connect via RDP and Plex Player to the Media Server, works fine.

I have now installed on the media server virtual box, virtualized this media server to VM Guest and installed a second Guest with a Linux Gateway Solution.

Windows 10 Host Configuration:

172.16.0.2

255.255.0.0

172.16.0.1 (UTM GW)

172.16.0.1 (UTM DNS)

Windows 10 Guest VM

Adapter 1 : Bridged (172.16.0.3 / 16 no Gateway no DNS)

Adapter 2: Internal Network: Transfer

10.152.x.12

255.255.192.0

GW 10.152.x.10

DNS 10.152.x.10

Linux Gateway Guest

Adapter 1: NAT

Adapter 2: Internal Network: Transfer

10.152.x.10

255.255.192.0

10.152.x.10

I have for this DMZ Network the following Firewall Rules on the UTM:

Intrusion Prevention local Networks – 172.16.0.0 / 16 is enabled:

Now my question is, how can I protect the Virtual Guests in the DMZ? The Guests have network 10.152.x.x but this networks / or the ip addresses in this range are not created on the UTM. Would it made sense to create this as Network Hosts, to also specific enable intrusion prevention, waf etc for them, and set specific firewall rules what are allowing just specific services / ports from Guest 1 to Guest 2?

Thx

Sally

This thread was automatically locked due to age.

Parents

0 BAlfson over 5 years ago

Is the "DMZ MEDIA (Network)" 10.152.x.x?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Sally over 5 years ago in reply to BAlfson

Hello Bob,

no the DMZ Media Network is 172.16.0.0 /16

After testing i get the following to work:

- Proxy Gateway get connected to Internet via Windows 10 Host OpenVpn connection. Windows 10 Guest (NAT Adapter deactivated) connect to Internet via Virtualbox Internal Network to Proxy Gateway. Last Virtualbox Adapter is Bridged, but i just set IP / Mask, so the Windows Guest is reachable via RDP from internal LAN.

Windows Host Configuration is 172.16.0.2 /16

Gateway / DNS is UTM Dmz Interface 172.16.0.1

I was wondering if it would be better to place an OpenVpn Router in the Media DMZ, that the Router connects to the VPN, instead the Windows Host directly connect to the VPN?

When i would connect the Router, would it be not better regarding the security / firewall rules to manage this?

Thanks

Best Regards

Sally
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Sally over 5 years ago in reply to BAlfson

Hello Bob,

no the DMZ Media Network is 172.16.0.0 /16

After testing i get the following to work:

- Proxy Gateway get connected to Internet via Windows 10 Host OpenVpn connection. Windows 10 Guest (NAT Adapter deactivated) connect to Internet via Virtualbox Internal Network to Proxy Gateway. Last Virtualbox Adapter is Bridged, but i just set IP / Mask, so the Windows Guest is reachable via RDP from internal LAN.

Windows Host Configuration is 172.16.0.2 /16

Gateway / DNS is UTM Dmz Interface 172.16.0.1

I was wondering if it would be better to place an OpenVpn Router in the Media DMZ, that the Router connects to the VPN, instead the Windows Host directly connect to the VPN?

When i would connect the Router, would it be not better regarding the security / firewall rules to manage this?

Thanks

Best Regards

Sally
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data