[RndTbl] firewall/router in a VM

Sean Walberg swalberg at gmail.com
Wed Feb 17 21:52:17 CST 2010


If you don't have to submit to the wrath of an auditor, it's probably good
enough.

In terms of security risks, your hypervisor/host OS needs to be locked down,
as an attacker could present the WAN NIC to another guest and route it that
way, or launch a new VM with both NICs. Again, not something to worry about
at home.

FWIW, the auditors I've run up against, especially in PCI, don't look at the
virtual switching in a virtual environment the way they do on a physical
switch. That is, they won't blink if you separate two networks with VLANs,
but put two VMs on different VLANs using a trunk to the ESX server and oh
boy...

Sean

On Wed, Feb 17, 2010 at 9:00 PM, Kelly Leveille <kel at kelweb.ca> wrote:

> Hi All,
>
> I'm considering setting up a firewall/router in a virtual machine to
> seperate a couple networks in my home. I intend to dedicate one of the host
> NICs to the WAN port of the router VM & will not load a TCP stack for that
> NIC in the host OS (ESXi supports this config). In theory, this
> configuration is as secure as a hardware router because packets can only be
> routed via the VM.
>
> My questions are:
>
> Have any of you had any good/bad experiences with this type of setup & are
> there potential security risks I'm not considering?
>
> Also, if you think this is not as secure as a hardware based solution,
> please explain why not.
>
> I'm not doing it to save money. I am aware that I could do the same thing
> with a consumer router. I'm just interested in the possibility.
>
> Thanks,
> --
> Kelly
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
>
>


-- 
Sean Walberg <sean at ertw.com>    http://ertw.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.muug.mb.ca/pipermail/roundtable/attachments/20100217/6ca5ec46/attachment.html 


More information about the Roundtable mailing list