[RndTbl] firewall/router in a VM

Sean Walberg swalberg at gmail.com
Fri Feb 19 19:48:15 CST 2010

The attacks against it that I can see:

1. As Adam pointed out, someone exploits some esoteric flaw in the
hypervisor to float packets from the outside to the inside even though
you've configured it not to (or some variant of this, such as getting the
hypervisor to listen to packets even though you've configured it not to)

2. Someone gets into the host and reconfigures one of the VMs to see the
outside NIC, too, or otherwise reconfigures the networking to do something
you didn't expect, including putting an IP stack on that interface and
exposing the hypervisor to the world.

3. Someone gets into the hypervisor and pokes and peeks directly into your

Everything else, as you pointed out, is a problem that exists with physical
devices. And, as Adam touched on, if some of the conditions above hold true,
you may have worse things to worry about.

Back to reality. It all comes down to risk management. What is it that
you're trying to protect? Are you trying to segment off your children so
they don't look at pr0n? Are you doing it more for interest's sake? Are you
protecting the schedule of a known terrorist whom the Mossad is trying to

Each one of these has a different level of risk, and the threats above are
more or less likely. For fun and teen-purity-protection your configuration
is OK. For the last one, you're worrying about a more sophisticated

What you're doing is going to be OK for most attacks. Doing it (properly, I
add) is not going to open any doors that would be breakable by anyone but
the most determined attacker. If that attacker were capable of the above,
then I think he's got much higher value victims out there ;)


On Fri, Feb 19, 2010 at 5:25 PM, Kelly Leveille <kel at kelweb.ca> wrote:

> Ahem...I hope you don't mind getting back to my original issue:
> Sean W, can you elaborate on the security risks to the host? I guess the
> core issue for me is to understand if there are actually any additional
> security vulnerabilities because it's virtualised. What is the attack
> vectorCan a hypervisor be compromised by traffic to one of it's guests
> when there is no IP stack loaded for the host?
> I understand that the real danger is that if one of the guests were
> compromised it may expose the configuration/virtualisation/networking
> features of the host but that doesn't mean a VM guest/router is any less
> secure than a hardware router. The compromise is in the router OS & that's
> the same for a hardware router.
> Thoughts?
> Kelly
> On Wed, Feb 17, 2010 at 9:52 PM, Sean Walberg <swalberg at gmail.com> wrote:
>> If you don't have to submit to the wrath of an auditor, it's probably good
>> enough.
>> In terms of security risks, your hypervisor/host OS needs to be locked
>> down, as an attacker could present the WAN NIC to another guest and route it
>> that way, or launch a new VM with both NICs. Again, not something to worry
>> about at home.
>> FWIW, the auditors I've run up against, especially in PCI, don't look at
>> the virtual switching in a virtual environment the way they do on a physical
>> switch. That is, they won't blink if you separate two networks with VLANs,
>> but put two VMs on different VLANs using a trunk to the ESX server and oh
>> boy...
>> Sean
>>   On Wed, Feb 17, 2010 at 9:00 PM, Kelly Leveille <kel at kelweb.ca> wrote:
>>>  Hi All,
>>> I'm considering setting up a firewall/router in a virtual machine to
>>> seperate a couple networks in my home. I intend to dedicate one of the host
>>> NICs to the WAN port of the router VM & will not load a TCP stack for that
>>> NIC in the host OS (ESXi supports this config). In theory, this
>>> configuration is as secure as a hardware router because packets can only be
>>> routed via the VM.
>>> My questions are:
>>> Have any of you had any good/bad experiences with this type of setup &
>>> are there potential security risks I'm not considering?
>>> Also, if you think this is not as secure as a hardware based solution,
>>> please explain why not.
>>> I'm not doing it to save money. I am aware that I could do the same thing
>>> with a consumer router. I'm just interested in the possibility.
>>> Thanks,
>>> --
>>> Kelly
>>> _______________________________________________
>>> Roundtable mailing list
>>> Roundtable at muug.mb.ca
>>> http://www.muug.mb.ca/mailman/listinfo/roundtable
>> --
>> Sean Walberg <sean at ertw.com>    http://ertw.com/
> --
> Kelly

Sean Walberg <sean at ertw.com>    http://ertw.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100219/a4288ceb/attachment-0001.html 

More information about the Roundtable mailing list