VMware Cloud Community
damo2k
Contributor
Contributor
‎02-09-2011 10:15 AM

Vmware - protect host os from guest os

Hello, im using vmware server 2.0 (the free version) and I am creating some guest os's for security challenges.

However im finding it difficult to give the guest os outside/internet access and accept incomming connections from the outside, and yet at the same time, block the guest os from seeing my home network, both the host os, and also the router/gateway.

I looked at host only netowrk mode, and setup the host os to enable ics, however this won't allow any incoming connections to the guest os. Has anyone any ideas how I can get around this?

Would ESXi be needed for this situation? If so has anyone any quick tips and instructions for this? I read through http://www.vmware.com/pdf/vsphere4/r40/vsp_40_esxi_server_config.pdf but alot of it is way over my head.

Thanks.

Reply
0 Kudos
5 Replies
Dave_Mishchenko
Immortal
Immortal
‎02-09-2011 10:21 AM

ESXi is far better for this.  Let's say you have an ESXi system with 2 NICs - one on your LAN / one connected to your DMZ / Internet connection.  You'll configure ESXi with 2 virtual switches (vSwitches).  vSwitch0 will be connected to your LAN and you'll assign a management IP address to your ESXi host on this vSwitch.  The DMZ vSwitch (vSwitch1) will only have a virtual machine port group on it.  I.e.  ESXi will have no IP address on that vSwitch so someone won't be able to directly connect to the host.  Even a VM on this vSwitch would have to go through a router to get to the LAN.  You can further secure things with VLANs if you can enable those on your network.  You can assign a VLAN to the management IP for ESXi as well as to VM port groups to segment traffic. ESXi doesn't provide any NAT services.  If you need to use something like that there are a number of VM appliance type firewalls that you can use for that.

Reply
0 Kudos
damo2k
Contributor
Contributor
‎02-09-2011 10:29 AM

I have only one NIC, that connects me to my router which provided access to my LAN and internet, so I guess this solution won't work for me.

Thanks anyway.

Reply
0 Kudos
Dave_Mishchenko
Immortal
Immortal
‎02-09-2011 10:51 AM

One other option would be the following.  You would stage ESXi with 2 vSwitches still, but vSwitch1 would not be linked to any physical NIC (i.e. it would be isolated).  You could add a firewall VM that would be linked to vSwitch0 (LAN) and vSwitch1 (Isolated).  Your router would forward to the firwall VM which would then forward to the appropriate VM.  The firewall VM would prevent the VM on the Isolated subnet from access the rest of your LAN network.  You could of course do this with VMware Server as well.

Reply
damo2k
Contributor
Contributor
‎02-09-2011 10:57 AM

Thanks for your replys.

Reply
0 Kudos
Texiwill
Leadership
Leadership
‎02-22-2011 05:26 AM

Hello,

As Dave has pointed out from a networking component ESXi is far more secure that VMware Server. Now if you look at it from a non-networking perspective it is also far more secure. VMware Server is only as secure as your host os is secure be that Windows or Linux. If either of those are weak then your security is weak with VMware Server.

For ESXi, you are running your VMs as close to the hardware as possible and not reliant on a host OS but instead run on a very thing normall-non-accessible hypervisor whose manage appliance is the only way to even launch a VM.

So the weakest link becomes the management appliance, and the weakest network protection for the management appliance is to use only one pNIC.

The ESXi management appliance is DESIGNED to be BEHIND a Firewall.

Best regards,

Edward L. Haletky

Communities Moderator, VMware vExpert,

Author: VMware vSphere and Virtual Infrastructure Security,VMware ESX and ESXi in the Enterprise 2nd Edition

Podcast: The Virtualization Security Podcast Resources: The Virtualization Bookshelf

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos