VMware vShield App (vShield App) is a centrally managed, stateful, distributed virtual firewall. It protects virtual machines by placing a stateful firewall filter on every virtual network adaptor. vShield App enables simple-to-use, non-disruptive implementation of network security in VMware vSphere environments. This document focuses on the use of vShield App to secure applications in the DMZ.
There are two main ways to approach DMZ design with virtualization: fully collapsed and air gap. Because vShield App is transparent to network topology, the configuration of security groups and rules based on these groups remains the same between topologies.
Taking full advantage of virtualization technology, this approach, shown in the following figure, virtualizes the entire DMZ—including all network and security devices. This design places virtual machines of different security levels on the same physical VMware (ESXi) host and brings network security devices into the virtual infrastructure.
The security of placing virtual machines of different trust levels on the same host has been assessed and ratified by third-party studies. Sometimes described as a “DMZ in a box,” this configuration enables users to maximize server consolidation and realize significant cost reductions.
This completely virtual infrastructure can fully enforce isolation and security for traffic entering, within, and leaving the DMZ.
Secure Segmentation of Tier 1 Applications in the DMZ - VMware vShield App 5.0
