Hi - hope you can answer this best practise question
Company mantra here has always been never to have servers that are physically connected to separate secuirity zones, thus bypassing the firewall - good policy.
Now we are looking at virtualisation I am trying to plan the network connectivity. Obviously, the VMotion and iSCSI traffic will have its own separate, isolated networks, but I am running into a problem with management traffic.
I think that routing the management network through a separate VSwitch with its own dedicated physical NIC onto our internal office network is safer than routing it out onto the DMZ where the virtual machines communicate, as this removes the possibility of an attack vector being accessible from outside our corporate firewall; but I am running into resistance as policy has always been to manage servers on the DMZ through the DMZ, which for physical Windows servers with no facilities for a separate management port was logical. In the virtual world, however, this is different with VSwitches to separate traffic, but here they are suspicious of relying on 'software' to secure such arrangements.
What is best practise please ?
Thanks