Posted by: Texiwill
Edward L. Haletky, P2V migrations, VI3, Virtual machine security, VirtualCenter, Virtualization, VMware, VMware Converter, VMware ESX 3.5, VMware ESXi
A common VMware Communities question is how to P2V or convert a system from within a demilitarized zone (DMZ) to a virtual machine (VM) running within an ESX host that will be part of the DMZ virtual network.
P2V works by imaging the physical host within the DMZ and transferring that image to the administrative/management network attached to the service console (management appliance) of the VMware ESX(i) host. This in essence crosses security zones and could connect the hostile DMZ to the ‘in need of protection’ virtualization management network. Access to this network from the DMZ could be disastrous.
One solution is to perform the P2V migration in stages.
- Create the DMZ virtual network within your virtual infrastructure.
- Get your security team to bless a laptop/workstation for work within the DMZ. Ensure this laptop/workstation has enough removable storage to contain the resultant VM or VMs of the physical servers you wish to convert.Use your P2V tool to convert the VM and store it on the removable media.
- Disconnect the removable media and bring it to your secure administrative network.
- Connect the removable media to a workstation within the administrative network. Ensure this connection is read-only for the moment if possible.
- Virus Scan the removable media, but note a VMDK can give false positives; you are really looking for anything that may be hidden from view.
- Use VMware Converter to import the VM or VMs into the virtual infrastructure ensuring they are connected to the proper virtual network.
- Power on the VM with the network disconnected and fix any issues that are caused by the P2V migration, such as the need to remove hardware agents, and fix anything that needs to be fixed.
- Reboot the VM with the network connected
The P2V migration is now complete and isolated from the network. The key to this is to only power on the VM once you are within a safe environment and to check for viruses and worms that may live within your DMZ.