I would like to extend this discussion by talking about some of the concerns people might have when it comes to virtualization of the edge. There are a number of issues that might concern people that below is just a few:
-Software firewalls are less secure than firewall appliances (Hardware):
This is a totally wrong idea since on top of all those firewall appliances, there is always a software running using which the administrator is able to configure the firewall. The difference is that the appliance only comes in a box making it more expensive. So if you think you can set up a very good server with really efficient hardwares, then you could even get a better performance than an appliance.
-A more complicated infrastructure and therefore more difficult to manage:
Well, that is somehow true but you should bare in mind that the complication would also exist in a physical environment where you have no documentation about the configuration and of course the design. So keep in mind that for every implementation whether physical or virtual, documentation is the first approach to be taken.
-Windows is not secure enough to be placed on the edge:
While some might believe Windows Server is not secure enough to be on the network edge, I totally disagree since there has not been any serious security vulnerabilities to exploit on Windows Server (Especially 2008 R2) as in 2010 there were only 33 vulnerabilities found on this OS which none of them was called critical while Linux had over 179 vulnerabilities which many of them were found on its kernel making it so vulnerable to attacks. To support my opinion on the security of Windows below is three edge products by Microsoft installed on Windows Server with no vulnerabilities over years:
-Exchange Server 2010 Edge role
-Office Communication Server 2007 Edge Role
-ISA Server (It has had 10 years without any exploits)
Now that you have found relief about some of your concerns, we can talk about virtualizaiton of Forefront TMG 2010 which is to be done on Hyper-V on top of Windows Server 2008 R2.
When it comes to the implementation of an application, the first thing to think of is where to install it. On the Hyper-V, well the question is a bit more clear… Should I install it on the Guest OS or the parent OS?
The answer is the Guest OS will be where TMG must be installed. If you install it on the parent partition, then you have exposed you whole virtualized environment to the internet. Remember that the network edge is the part of your network more than the others exposed to the internet and therefore there is a higher possibility to go under attack. So we could say that if in any ways the the parent OS (With TMG) is compromised then the whole virtualized environment is going to be compromised.
Imagine a hacker having access to the Hyper-V console on the parent partition, you could guess what he would be capable of doing…
But if you install TMG on the Guest OS, just in case the server is hacked, only and only that Guest OS is compromised and not the whole virtual environment. That is why…
You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:
To get more information about the book click on the book below: