Re: Would this network layout be secure?

Red_Squirrel · ‎11-26-2008

Here's my current setup.

I have a single subnet behind a dlink router (10.1.1.0/24) and my server (10.1.1.10) is a VM server (server 2.0) as well as acts as other services (samba, email etc). What I'd like to do is add another subnet that is isolated from my 10.1.1.0/24 network but I still want to be able to access it from that network - I just don't want the new subnet to be able to access the 10.1.1.0/24 network.

What I'm thinking of doing is getting a second physical router to put my 10.1.1.10 network behind it. I would then get a 2nd nic on my server and plug it into the (old) 10.10.0.1 router and bridge it to a virtual nic. I would not enable TCP/IP on that nic within the OS itself, I would only make VMs then assign them that nic.

Would this be mostly 99.999% secure that the 2nd nic traffic can't somehow fall on the 10.1.1.10 network? (assuming I don't make a VM to act as a router and have two nics, one on internal and one external).

For easier understanding here is a network diagram of how I plan to set things up. Just keep in mind that the private network would be fully virtualized on VMs that are on the 10.1.1.10 server. I basically want to be able to setup a VM on there wide open to the net and that it is impossible to get on the 10.1.1.0/24 network from it no matter what. (again assuming I don't setup a 2nd nic that is on the other bridged network)

[http://www.iceteks.com/misc/vmnetworkplan-w2routers.png][/img]

Texiwill · ‎11-27-2008

Hello,

I do hope that the first router is a firewall and not just a router?

While you may think it is possible to do this you need to remember that the host for VMware Server controls everything, and can see everything and everything is affected by its firewall and network stack of the host. Your network is basically everything goes to the host and then from there branches to the virtual machines on the separate networks. The VMware Server 'virtual switch' as it is called is really just a bridge and not a real switch.

What you want to use is ESXi and not VMware Server as ESXi contains Layer 2 switches that can be used to solve your problem as each physical NIC is unaffected by the network stack within the management appliance and acts independently. Each physical NIC is an uplink from an external physical switch. You would also firewall your management appliance from everything else.

I.e. You have now:

router <-> router <-> HOST <-> brdige <-> VMs
router <-> HOST <-> bridge <-> VMs

You want something like (ESXi)

router <-> router <-> pNIC1 <-> vSwitch1 <-> VMs (your first subnet)
router <-> pNIC2 <-> vSwitch2 <-> VMs (your different subnet)
pNIC0 <-> vSwitch0 <-> Management Appliance (your protected management network)

As you can see, your HOST is involved with VMware Server and not with ESXi. In effect you have a DMZ and for ESXi this http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf document does help. There are others on how virtual switches work. VMware Server is just not secure enough to give true network separation.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

Red_Squirrel · ‎11-27-2008

ESXi is not an option in my case since that server still needs to be Linux, VMware is only part of the duties that server does. Also I have software raid (MD raid) which would not work without LInux being the OS.

So my idea would not work then? Traffic could leak to the main network?

And yes both routers are NAT firewalls. So I would forward only the ports I want, and they would be forwarded to VMs that are on a different interface. From my experience with vmnets it seems my idea would work but still neededto make 100% sure.

If I had the budget I would just get a seperate physical server and put ESXi on it, but right now I'm contrained not only budget wise but physical space wise. When I get my own house I'll get a server rack so this wont be an issue.

Texiwill · ‎11-28-2008

Hello,

ESXi is not an option in my case since that server still needs to be Linux, VMware is only part of the duties that server does. Also I have software raid (MD raid) which would not work without LInux being the OS.

Using Linux does change things just a wee bit. You can secure Linux in such a way and use iptables in such a way as to keep things separate based on target IP or source IP. Never really tried it, but it is possible. I.e. Use iptables to keep traffic from your new VMs from being able to reach anything within the host. The other option is to move the duties of the Linux system into VMs as well.

So my idea would not work then? Traffic could leak to the main network?

Yes it could, but iptables could help you minimize, allow auditing, and handle things better. You now know the limitations which is the first part of security.

And yes both routers are NAT firewalls. So I would forward only the ports I want, and they would be forwarded to VMs that are on a different interface. From my experience with vmnets it seems my idea would work but still neededto make 100% sure.

Yes your idea will work.

If I had the budget I would just get a seperate physical server and put ESXi on it, but right now I'm contrained not only budget wise but physical space wise. When I get my own house I'll get a server rack so this wont be an issue.

I do understand.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

Red_Squirrel · ‎11-28-2008

Glad to hear this sounds like it will work. I also figured it would. They key is probably to ensure tcp/ip is not even configured/accessable on the 2nd interface which is what I'll make sure. I can even block ip traffic completly through ip tables I'm sure. That's a system I really want to learn more as it's so powerful and complex, it can do a lot.

I will proceed with ordering a router, switch and a USB nic to go ahead with this project. If I wanted to spent more I could even get a managed switch for extra configuration but for now I'll do with a cheapy one. You know you're a geek when... you hvae 2 routers, 2 switches, but only 1 server and 2 pcs. 😛

Texiwill · ‎11-29-2008

Hello,

Unfortunately you can not block the entire IP stack with IPtables. The HOST will still know everything that goes to the guest or could know everything and therefore there is an issue. You need to prevent the guest from reaching the host using iptables, but still need to let things go out. It is a fine line.

The real issue is that the management functionality of the HOST is on the same network on which you are trying to protect, with ESXi this is not the case.

I would be interested in seeing your IPTables rules.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

All

Would this network layout be secure?