When using a Virtual Network, is it possible to infect the underlying Network infrastructure with malware from the Virtual Network. How safe is the use of Virtual Networks?
-
1From your question it is not clear what do you mean by "virtual network". There are several common possible meanings: [virtual LAN (VLAN)](https://en.wikipedia.org/wiki/Virtual_LAN), virtual network implemented by a [hypervisor](https://en.wikipedia.org/wiki/Hypervisor), or [virtual private network (VPN)](https://en.wikipedia.org/wiki/Virtual_private_network). – pabouk - Ukraine stay strong Nov 06 '14 at 14:48
2 Answers
Because virtualization software is not perfect, it is in some cases possible to escape out of the virtual environment and do bad things on the host. It is important to keep your virtualization (and other software) up to date, because security patches to prevent this attack are sometimes released. I believe that malware could indeed then be put onto the host network if other vulnerabilities were exploited. So, yes, I believe it would be possible... however, it would be very difficult. This would be a significant hurdle that should keep most attackers out of the host network. I believe virtual networks are a great safety measure to take, as long as the security implications are considered.
Another attack to consider (not quite malware on the host network) is a Denial of Service (DoS), or Distributed Denial of Service (DDoS) attack in which network traffic is flooded. If the virtual host shares the same network resources with the host network, then if the virtual network is flooded with traffic, it would also flood the host network, bringing both to a crawl / halt.
Short answer: no. The hosting network can't be affected from within a virtual network.
A bit longer answer: by design, a virtual network should be considered a sandboxed virtual environment within a physical implementation of a networking environment. You can't break out of the sandbox. So the hosting network can't be infected by the virtual network.
Wether the hosting network can see the traffic in the virtual network depends of your virtualization choices. For example a VPN tunnel can't be accessed by the hosting network. A VLAN without further security measurements is transparent to the hosting network.
Of course, with the "if properly implemented and maintained"-disclaimer. Be aware of 0-days (unpatched security leaks), configure the network properly (eg: set resource limits) and keep everything patched with the latest security updates.
- 162
- 8
-
4Never say never :-) There have been vulnerabilities that allow escape from the virtual environment, and if one of those is exploited, I am sure the host network could then be impacted. Another attack I can think of is a denial of service (DoS). If your virtual network and host network use the same bandwidth, ad DoS (or DDoS) could then affect both the host and virtual network (depending on network implementation). However, I do believe the virtual network provides a pretty good separation from the host network and would be a significant hurdle for an attacker (depending on implementation). – Jonathan Nov 06 '14 at 13:58
-
-
Thanks for your help this together with Jonathan's answer really cleared up things. Best Regards. – Daniel Micallef Nov 06 '14 at 14:40
-
1But with your last paragraph, your answer is "yes". A properly patched machine is still subject to 0-days. – schroeder Nov 06 '14 at 15:37