[RndTbl] firewall/router in a VM

Kelly Leveille kel at kelweb.ca
Fri Feb 19 17:25:06 CST 2010

Ahem...I hope you don't mind getting back to my original issue:

Sean W, can you elaborate on the security risks to the host? I guess the
core issue for me is to understand if there are actually any additional
security vulnerabilities because it's virtualised. What is the attack
vectorCan a hypervisor be compromised by traffic to one of it's guests
when there is no IP stack loaded for the host?

I understand that the real danger is that if one of the guests were
compromised it may expose the configuration/virtualisation/networking
features of the host but that doesn't mean a VM guest/router is any less
secure than a hardware router. The compromise is in the router OS & that's
the same for a hardware router.



On Wed, Feb 17, 2010 at 9:52 PM, Sean Walberg <swalberg at gmail.com> wrote:

> If you don't have to submit to the wrath of an auditor, it's probably good
> enough.
> In terms of security risks, your hypervisor/host OS needs to be locked
> down, as an attacker could present the WAN NIC to another guest and route it
> that way, or launch a new VM with both NICs. Again, not something to worry
> about at home.
> FWIW, the auditors I've run up against, especially in PCI, don't look at
> the virtual switching in a virtual environment the way they do on a physical
> switch. That is, they won't blink if you separate two networks with VLANs,
> but put two VMs on different VLANs using a trunk to the ESX server and oh
> boy...
> Sean
>   On Wed, Feb 17, 2010 at 9:00 PM, Kelly Leveille <kel at kelweb.ca> wrote:
>>  Hi All,
>> I'm considering setting up a firewall/router in a virtual machine to
>> seperate a couple networks in my home. I intend to dedicate one of the host
>> NICs to the WAN port of the router VM & will not load a TCP stack for that
>> NIC in the host OS (ESXi supports this config). In theory, this
>> configuration is as secure as a hardware router because packets can only be
>> routed via the VM.
>> My questions are:
>> Have any of you had any good/bad experiences with this type of setup & are
>> there potential security risks I'm not considering?
>> Also, if you think this is not as secure as a hardware based solution,
>> please explain why not.
>> I'm not doing it to save money. I am aware that I could do the same thing
>> with a consumer router. I'm just interested in the possibility.
>> Thanks,
>> --
>> Kelly
>> _______________________________________________
>> Roundtable mailing list
>> Roundtable at muug.mb.ca
>> http://www.muug.mb.ca/mailman/listinfo/roundtable
> --
> Sean Walberg <sean at ertw.com>    http://ertw.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100219/adaf70a6/attachment.html 

More information about the Roundtable mailing list