I have a NAS on our internal network that I'm creating VMs on. Some of them need to be external web servers. Is there a way to put a VM on the DMZ even though the ESXi and NAS are inside the network? What is the best practice in this case?
Normally you would have dedicated hardware for that purpose: public switches and DMZ virtual hosts. <br /><br />Not everyone has the correct infrastructure to do that however.<br /><br />If you can't do that and absolutely need to get it done, you could have a VM in the DMZ(hopefully NAT'ed with only access to the port 80/443) on the same ESXi server that is connected to the NAS, but if your VM gets compromised, the bad guys could have more than just access to an empty DMZ.<br /><br />If there is a vulnerability or if a device is misconfigured, it could lead to Vlan hopping or escalation from the guest to the ESXi host.<br /><br />In real life I've seen both setup done.
Here's a couple white papers I just found:
old paper from SANS about DMZ:
If you were to do such a thing rather than the technically more secure physical separation the idea would be to carve out storage groups that could only be accessed by the DMZ hosts to avoid a DMZ host exploit from crossing over to the other hosts. You'd also want to be careful about an attacker coming back in through the management network.
As the links devnull posted try to explain, it's not that you can't make it secure, it's that it's easier to open a vulnerability with a misconfiguration of either the VLANs or the VM/storage.