OK thanks. Is there any

notofthisearth · ‎02-24-2015

I need to create a DMZ where VMs in my environment can be accessed from the public internet. The current plan is:

-Have a single firewall that is connected to a 7000K switch. There will be both a DMZ subnet and internal network subnets sharing the same physical switch, and travelling in and out the same physical switch trunk ports to various ESXi hosts. The traffic will be separted only by being tagged with different vLAN tags, and by creating firewall rules to that control what communication can happen to and from the DMZ subnet.

Is this a viable "DMZ" design or does DMZ traffic need to be on a different physical switch or at least not trunked on the same switch ports?

Collin Clark · ‎02-24-2015

This would fail any regulated security audit.

notofthisearth · ‎02-24-2015

OK thanks. Is there any reference documentation to define exactly what a regulated audit is looking for in DMZ design? Is there a specific document or link I can point to that sets out what the requirements are? When you say regulated audit are you talking specifically PCI-DSS, Sarbanes Oxley, NIST, FISMA, or all of the above? Which audits are "regulated"?

Collin Clark · ‎02-25-2015

By regulated I mean PCI, DISA, etc. You can check out the CVD for internet edge at http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-edge/landing_iEdge.html#~designs

DMZ Design