DMZ security architecture is well known. It is a sure way of preventing Internet traffic from reaching business servers such as ERP / CRM systems. Internet traffic will reach the proxy server (Squid) but no Internet traffic will reach the accounting, payroll, etc. systems.

But IF we are using one virtualised server (because then we do not have to buy two hardware servers) – that is one HP Proliant ML 350 server having Intel 4-core CPU and 4 port Ethernet card and running CentOS (ver 5.7) – & this system is running Squid proxy in one virtualised server AND ERP (Open ERP) in another virtualised server THEN can we say this system has violated the principles of DMZ?

What we need is to ensure that Internet traffic does not reach the virtualized server that is hosting the ERP System (Business Software System) even though another virtualized server that is hosting the Squid proxy on the same hardware machine is receiving Internet traffic. How effectively can we ensure it, if we are running CentOS? Is there a general consensus among the security professionals that Internet traffic cannot find its way from one virtualized sever to another if we are running Linux? Is there a real security advantage in going for a commercial OS like RedHat or Suse instead of CentOS?

You are missing some pretty big bits of information for anyone to really give an accurate answer here.

• What virtualization technology?
• What is the physical network these are connected to?
• How does the physical server connect to the internet?

It will also depend on how secure you need this to be, and what you are willing to pay for additional security. Generally for a true DMZ setup there will be some hardware to separate the DMZ and LAN networks, and the servers are different physical machines. That said depending on the security level needed, and the budget it is possible to do a shared architecture using certain technologies if done properly.

Dear Erik,

-- What virtualization technology?

I am not a virtualization expert to answer this. All I know is this: I will be using CentOS (may be the current version - 6). CentOS has RedHat virtualization technique. I think Intel virtualization technology also helps here. If you use an Intel 4 port ethernet card and Intel 4 core CPU then it is possible to configure the system in such a manner that packets from each port on the ethernet card goes into a single core of the CPU. Is this possible? Is this true? I do not know. I have only heard of it.

Installing CentOS on an HP server (HP ML 350 G6 server) with Intel components is not a very sophisticated system. But if I can ensure that packets entering through a given port is not entering other virtual servers except the one that is meant for that port then I am happy.

-- What is the physical network these are connected to?

One port on the ethernet card is connected to the Internet through a router. So I want to packets coming through this port to go to the virtual server that is running Squid proxy and only to that virtual server. (I do not whether it is possible - but it is what I want.) Then another port on the 4-port ethernet card is connected to the internal LAN on which the Accountant, Marketing staff, etc. are siting and packets coming along this port should be going to the virtual server that is running the application server / ERP server.

-- How does the physical server connect to the internet?

Through a normal router, which does not have features like IDS/IPS.

If you are installing CentOS on the hardware and using the included virtualization technology that would be Xen. I don't think you will be able to do this in a secure fashion. If you used VMware and made both the the servers guests you would have a chance at doing this with a single physical server. This would involve using multiple NICs with a different network on each NIC, and a dedicated management network.

However this is not a simple setup, it is rather complex to do properly and securely. Since you state you are not an expert you might want to look into a second server, or hiring somebody with the proper knowledge to do this for you. What would the potential cost of breach due to an improper setup be?

Honestly my recommendation would be get a second server for DMZ, and run run each as a host for multiple virtual guests. This of course will really depend on the load and the specs of those servers, virtualization isn't always the best answer.