If you don't have to submit to the wrath of an auditor, it's probably good enough.

In terms of security risks, your hypervisor/host OS needs to be locked down, as an attacker could present the WAN NIC to another guest and route it that way, or launch a new VM with both NICs. Again, not something to worry about at home.

FWIW, the auditors I've run up against, especially in PCI, don't look at the virtual switching in a virtual environment the way they do on a physical switch. That is, they won't blink if you separate two networks with VLANs, but put two VMs on different VLANs using a trunk to the ESX server and oh boy...

Sean

On Wed, Feb 17, 2010 at 9:00 PM, Kelly Leveille <kel@kelweb.ca> wrote:

Hi All,

I'm considering setting up a firewall/router in a virtual machine to seperate a couple networks in my home. I intend to dedicate one of the host NICs to the WAN port of the router VM & will not load a TCP stack for that NIC in the host OS (ESXi supports this config). In theory, this configuration is as secure as a hardware router because packets can only be routed via the VM.

My questions are:

Have any of you had any good/bad experiences with this type of setup & are there potential security risks I'm not considering?

Also, if you think this is not as secure as a hardware based solution, please explain why not.

I'm not doing it to save money. I am aware that I could do the same thing with a consumer router. I'm just interested in the possibility.

Thanks,
--
Kelly

_______________________________________________
Roundtable mailing list
Roundtable@muug.mb.ca
http://www.muug.mb.ca/mailman/listinfo/roundtable

--
Sean Walberg <sean@ertw.com>    http://ertw.com/