Question : DMZ guests + Internal Guests on Internal ESX HostS?

We currently have a Vmware ESX cluster running on our internal LAN for our internal guests.

This cluster has no visibility to any external resources.

We would like to take advantage of our internal ESX cluster to host guests in our DMZ (such as our SMTP relay for incoming mail).

Call us cheap, but we don't want to buy a whole new ESX host for our DMZ.  

Instead, We want to take two new NICs and add them to our hosts in the cluster, and patch these NICs into our DMZ. Then run our DMZ guests on our internal host, with these guests only connected to a virtual switch that has DMZ connectivity.

Is this an acceptable solution? And what are the security ramifications?

I suppose if there was a VMWARE security bug which could enable a guest in the DMZ to compromise the host, they would then be on our inside network.  

Yikes!  That scares us, but how likely that scenario?

All thoughts and comments welcome and very much appreciated,
Thanks,
Mike

Answer : DMZ guests + Internal Guests on Internal ESX HostS?

VMware calls this a collapsed DMZ with physical seperate trust zones ... check it out! :-)

We implement ESX in a similar method, but we do

http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

Random Solutions  
 
programming4us programming4us