We have an ESXi host running which has 5 NICs in total. Until now it hosts only VMs for our internal network. We also have a firewall so that users on the net can browse the internet (proxy). The firewall is an UTM appliance and also has a DMZ port. Now I thought we could also put a webserver (or similar) on one VM and make it accessible on the internet. This virtual server would get one dedicated NIC on the ESXi which is connected to the DMZ port of the firewall. Would this be a good idea or are there any (security related) considerations against this scenario? Since its a seperate NIC it would get its own vSwitch on the vCenter and would have no physical connection to the internal net. But the vCenter manages the whole host and has access to all NICs etc. so I'm not sure if this is the best solution.
SnapOverflow
It's not the best solution, of course - ideally you would have a separate VM host for DMZ guests. If you do choose to go this way though, some points you should take into account:
The obvious one first: someone can use an exploit to escape the VM jail and so compromise your LAN hosts from the DMZ. So you should really keep up with patches both on DMZ guests and host, and then hope for the best.
Mistakes in the configuration have serious consequences. Think, for example, of the possibility you or some else assigns NICs both on the DMZ and the LAN to some host. Now your DMZ and your LAN are the same thing. Of course you can prevent this by enforcing procedures and just being competent, but you see how you could say you end up with a more fragile environment.
That said, it's still better than not having a DMZ at all so it can be a good stop-gap solution if you can't use a separate host right now. Just keep in mind that it's not as safe as having your DMZ guests on a separate host and real network.
There is nothing wrong with that approach.
I would typically use VLAN trunking to carry a DMZ over the existing links, but if you want it absolutely and completely separated then yes use another link and assign that NIC into a separate vSwitch. This should keep things nice and segmented for you.