<div>Ahem...I hope you don't mind getting back to my original issue:</div>
<div> </div>
<div>Sean W, can you elaborate on the security risks to the host? I guess the core issue for me is to understand if there are actually any additional security vulnerabilities because it's virtualised. What is the attack vectorCan a hypervisor be compromised by traffic to one of it's guests when there is no IP stack loaded for the host? </div>
<div> </div>
<div>I understand that the real danger is that if one of the guests were compromised it may expose the configuration/virtualisation/networking features of the host but that doesn't mean a VM guest/router is any less secure than a hardware router. The compromise is in the router OS & that's the same for a hardware router.</div>
<div> </div>
<div>Thoughts?</div>
<div> </div>
<div> </div>
<div>Kelly<br><br></div>
<div class="gmail_quote">On Wed, Feb 17, 2010 at 9:52 PM, Sean Walberg <span dir="ltr"><<a href="mailto:swalberg@gmail.com">swalberg@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">If you don't have to submit to the wrath of an auditor, it's probably good enough. <br><br>In terms of security risks, your hypervisor/host OS needs to be locked down, as an attacker could present the WAN NIC to another guest and route it that way, or launch a new VM with both NICs. Again, not something to worry about at home.<br>
<br>FWIW, the auditors I've run up against, especially in PCI, don't look at the virtual switching in a virtual environment the way they do on a physical switch. That is, they won't blink if you separate two networks with VLANs, but put two VMs on different VLANs using a trunk to the ESX server and oh boy...<br>
<br>Sean<br><br>
<div class="gmail_quote">
<div>
<div></div>
<div class="h5">On Wed, Feb 17, 2010 at 9:00 PM, Kelly Leveille <span dir="ltr"><<a href="mailto:kel@kelweb.ca" target="_blank">kel@kelweb.ca</a>></span> wrote:<br></div></div>
<blockquote style="BORDER-LEFT: rgb(204,204,204) 1px solid; MARGIN: 0pt 0pt 0pt 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>
<div></div>
<div class="h5">Hi All,<br><br>I'm considering setting up a firewall/router in a virtual machine to seperate a couple networks in my home. I intend to dedicate one of the host NICs to the WAN port of the router VM & will not load a TCP stack for that NIC in the host OS (ESXi supports this config). In theory, this configuration is as secure as a hardware router because packets can only be routed via the VM. <br>
<br>My questions are:<br><br>Have any of you had any good/bad experiences with this type of setup & are there potential security risks I'm not considering? <br><br>Also, if you think this is not as secure as a hardware based solution, please explain why not. <br>
<br>I'm not doing it to save money. I am aware that I could do the same thing with a consumer router. I'm just interested in the possibility.<br><br clear="all">Thanks,<br>-- <br><font color="#888888">Kelly </font><br>
</div></div>_______________________________________________<br>Roundtable mailing list<br><a href="mailto:Roundtable@muug.mb.ca" target="_blank">Roundtable@muug.mb.ca</a><br><a href="http://www.muug.mb.ca/mailman/listinfo/roundtable" target="_blank">http://www.muug.mb.ca/mailman/listinfo/roundtable</a><br>
<br></blockquote></div><font color="#888888"><br><br clear="all"><br>-- <br>Sean Walberg <<a href="mailto:sean@ertw.com" target="_blank">sean@ertw.com</a>> <a href="http://ertw.com/" target="_blank">http://ertw.com/</a><br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Kelly<br>