The attacks against it that I can see:<br><br>1. As Adam pointed out, someone exploits some esoteric flaw in the hypervisor to float packets from the outside to the inside even though you've configured it not to (or some variant of this, such as getting the hypervisor to listen to packets even though you've configured it not to)<br>
<br>2. Someone gets into the host and reconfigures one of the VMs to see the outside NIC, too, or otherwise reconfigures the networking to do something you didn't expect, including putting an IP stack on that interface and exposing the hypervisor to the world.<br>
<br>3. Someone gets into the hypervisor and pokes and peeks directly into your firewall.<br><br>Everything else, as you pointed out, is a problem that exists with physical devices. And, as Adam touched on, if some of the conditions above hold true, you may have worse things to worry about.<br>
<br>Back to reality. It all comes down to risk management. What is it that you're trying to protect? Are you trying to segment off your children so they don't look at pr0n? Are you doing it more for interest's sake? Are you protecting the schedule of a known terrorist whom the Mossad is trying to kill?<br>
<br>Each one of these has a different level of risk, and the threats above are more or less likely. For fun and teen-purity-protection your configuration is OK. For the last one, you're worrying about a more sophisticated attacker.<br>
<br>What you're doing is going to be OK for most attacks. Doing it (properly, I add) is not going to open any doors that would be breakable by anyone but the most determined attacker. If that attacker were capable of the above, then I think he's got much higher value victims out there ;)<br>
<br>Sean<br><br><div class="gmail_quote">On Fri, Feb 19, 2010 at 5:25 PM, Kelly Leveille <span dir="ltr"><<a href="mailto:kel@kelweb.ca">kel@kelweb.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Ahem...I hope you don't mind getting back to my original issue:</div>
<div> </div>
<div>Sean W, can you elaborate on the security risks to the host? I guess the core issue for me is to understand if there are actually any additional security vulnerabilities because it's virtualised. What is the attack vectorCan a hypervisor be compromised by traffic to one of it's guests when there is no IP stack loaded for the host? </div>
<div> </div>
<div>I understand that the real danger is that if one of the guests were compromised it may expose the configuration/virtualisation/networking features of the host but that doesn't mean a VM guest/router is any less secure than a hardware router. The compromise is in the router OS & that's the same for a hardware router.</div>
<div> </div>
<div>Thoughts?</div>
<div> </div>
<div> </div>
<div>Kelly<br><br></div><div><div></div><div class="h5">
<div class="gmail_quote">On Wed, Feb 17, 2010 at 9:52 PM, Sean Walberg <span dir="ltr"><<a href="mailto:swalberg@gmail.com" target="_blank">swalberg@gmail.com</a>></span> wrote:<br>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;" class="gmail_quote">If you don't have to submit to the wrath of an auditor, it's probably good enough. <br>
<br>In terms of security risks, your hypervisor/host OS needs to be locked down, as an attacker could present the WAN NIC to another guest and route it that way, or launch a new VM with both NICs. Again, not something to worry about at home.<br>
<br>FWIW, the auditors I've run up against, especially in PCI, don't look at the virtual switching in a virtual environment the way they do on a physical switch. That is, they won't blink if you separate two networks with VLANs, but put two VMs on different VLANs using a trunk to the ESX server and oh boy...<br>
<br>Sean<br><br>
<div class="gmail_quote">
<div>
<div></div>
<div>On Wed, Feb 17, 2010 at 9:00 PM, Kelly Leveille <span dir="ltr"><<a href="mailto:kel@kelweb.ca" target="_blank">kel@kelweb.ca</a>></span> wrote:<br></div></div>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
<div>
<div></div>
<div>Hi All,<br><br>I'm considering setting up a firewall/router in a virtual machine to seperate a couple networks in my home. I intend to dedicate one of the host NICs to the WAN port of the router VM & will not load a TCP stack for that NIC in the host OS (ESXi supports this config). In theory, this configuration is as secure as a hardware router because packets can only be routed via the VM. <br>
<br>My questions are:<br><br>Have any of you had any good/bad experiences with this type of setup & are there potential security risks I'm not considering? <br><br>Also, if you think this is not as secure as a hardware based solution, please explain why not. <br>
<br>I'm not doing it to save money. I am aware that I could do the same thing with a consumer router. I'm just interested in the possibility.<br><br clear="all">Thanks,<br>-- <br><font color="#888888">Kelly </font><br>
</div></div>_______________________________________________<br>Roundtable mailing list<br><a href="mailto:Roundtable@muug.mb.ca" target="_blank">Roundtable@muug.mb.ca</a><br><a href="http://www.muug.mb.ca/mailman/listinfo/roundtable" target="_blank">http://www.muug.mb.ca/mailman/listinfo/roundtable</a><br>
<br></blockquote></div><font color="#888888"><br><br clear="all"><br>-- <br>Sean Walberg <<a href="mailto:sean@ertw.com" target="_blank">sean@ertw.com</a>> <a href="http://ertw.com/" target="_blank">http://ertw.com/</a><br>
</font></blockquote></div><br><br clear="all"><br></div></div>-- <br><font color="#888888">Kelly<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Sean Walberg <<a href="mailto:sean@ertw.com">sean@ertw.com</a>> <a href="http://ertw.com/">http://ertw.com/</a><br>