I have a feeling this is the directions things will be going with all the Cisco/VMware integration.

I’ve had a look at thirdbrigade and their product sounds good, however the main item that the post was about was trying to maintain data isolation between the client and the virtual switch. Rather than trying to deploy a Firewall or IDS on each VM, the poster wants to create an IPSEC tunnel from within the Virtual Environment to the Firewall. This would avoid a single pNIC to Port Group configuration requirement as each Port Group could have it’s own IPSEC tunnel established on it’s own VLAN down the Trunked ports.

An interesting idea, and may need to be tested further.

This issue has been addressed with this new technology called VMSafe (http://www.vmware.com/technology/security/vmsafe.html)

Look at VM Protection from Thirdbrigade.com to see how they deal with security within vSwitch for instance.

Rgds,

Good thought. I have seen a similar layout, however not with a firewall appliance, but with the Bluelane VirtualShield Inline Patching appliance (they have now been purchased by VMWare). A couple of thoughts from when I looked into this:

1. Their model was to have an appliance (in your case the VPN Firewall) on each host, set to not participate in VMotion. I think this may be the better scenario as I don’t know of any way to make sure that machines with an affinity move at identical times (so that the firewall is always present and there is limited drop outs)

2. There was an extra setting that needed to be applied so that a VM attached to a vSwicth that doesn’t have a pNIC attached to it. See http://communities.vmware.com/thread/89240;jsessionid=606864BA1A3CBACB94BB40B1E6341B52?tstart=26550 for information that needs to be applied to the vpxd.cfg file on teh Virtual Center to allow the VM to migrate.

Hope this helps and starts things moving in the right direction