Here's a dilemma I have and I'd like some opinions on. I inherited an IT environment that was built up with cost as the only concern. Over the last year and a bit, I've tried to spend a lot of effort (and money) improving the environment. e.g. previously a single overloaded esxi host connected to a synology nas with an iscsi target to a pair of much more powerful esxi hosts connected to a emc vnx. The old kit is sitting in a rack in a different building as a warm DR environment in the case of failure. It's pretty poor, but it's a customer and insurance requirement.
We have a DMZ server running esxi again and a single windows server VM on it serving an extranet for about a dozen people. The hardware it's on is the "old, old" server - something 2003 / 2004 vintage. Firewall rules and port allocation are appropriate, but there is no backup.
Not surprisingly, the host hardware is starting to give me problems. e.g. it will disconnect it's disks necessitating a restart, and curiously enough the only LED that works on the front console is the locator LED - everything else has burnt out or is faint to the point of only being visible in a dark room and you actually need to listen for the fan noise to know if it's turned on or not.
I'd like to replace it, but have $0 budget and everything for the next few years is tied up in replacing 8 - 10yo PC's, laptops with cracked screens (requiring external monitors), unsupportable software, etc. It would be handy to make better use of it too, as we have some applications that really should be on the DMZ sitting on our internal network.
My options are:
1) Keep running the DMZ as is and hope for the best. If it dies, then there is no unique data on the extranet and it would be an inconvenience only (as well as looking like a mug to a dozen or so people)
2) Bring the DMZ onto my production esxi hosts. Set aside a physical nic on each for the firewall and set up a virtual switch dedicated to the cause. I would then immediately have backup operational, some redundancy, and could easily transfer services from the lan side to the DMZ. However I'm not sure of the security implications and any weaknesses in esxi? I've never done it like this.. So effectively trading operational risk for potential security risk.
3) Anything else?
Cloud computing can't be considered, and there definitely is no possibility of budget
There are plenty of large companies and service providers running their DMZs on separate virtual switches mapped to separate NICs on the same ESX hosts as their LAN servers. You can have your DMZ NIC plugged into a separate DMZ port on your firewall.
NO problem with his setup