6

Just kicking this idea around, and wanted to see if you'll be so kind as to point out the problems I don't see.

If I set up this new HyperV host as a normal domain member, the benefits are obvious. I can manage it through SCVMM, and it's got its own NIC, so the traffic should theoretically be isolated from the dirty, filthy DMZ NIC the VMs will be using.

Obviously I'll want to set up the virtual network as Private, to isolate the host from them completely. I'm trusting the documentation on this - is that naive?

I could be overthinking things, because the thought of having my LAN and my DMZ both plugged into the same physical box makes me twitch, but I don't have any concrete reasons why.

Thanks for your thoughts.

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
  • Edited to make the tags more virtualization-agnostic. I'll continue to envy the VMWare among us and appreciate the advice from any & all. – Kara Marfia Jul 23 '09 at 20:08

2 Answers2

5

I would say the main risk would be any exploit that allows someone to break out of the VM and attack the host. This has happened with VMWare before. So this would put your LAN at a higher risk from the DMZ than totally isolated machines, but I wouldn't say it's stupid either. Just depends on how secure it really has to be...

Also take into account this sounds a little more 'complicated', and therefore you might be more likely to overlook something. I bet more security is hacked because of Administrative mistakes than exploits.

One more thing to think about is if you work in place / industry that might have audits. Even if this method is no less secure really, there might be some BS audit rule about the DMZ and LAN residing on the same physical server.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • Thanks for that link. I'm hoping that "just keep it patched" will be the answer here. – Kara Marfia Jul 23 '09 at 18:57
  • Taking your advice to heart and naming the host such that someone will (hopefully) pause before fiddling with the virtual networking. – Kara Marfia Jul 24 '09 at 17:53
  • Also worth mentioning that that exploit was on Workstation. It would also mean something would have to breach multiple layers of security and be very aware of the environment to have good use of the breach, this at least puts the threats far into the "determined and targeted attack" field IMHO. – rackandboneman May 11 '12 at 18:10
3

We are running several servers like this now (although we are using VMWare). Basically the physical boxes host Guest machines running on various networks, each network has it's own physical NICs assigned to it. This is definitely an issue as Kyle mentioned. The approach we have taken is that in light of the potential impact of a virtual hack we have gone out of our way to secure the OS on the guest machines. All Guest OS's that are public accessible are screened by a 3rd party audit daily for security vulnerabilities so that we can hopefully keep someone from ever getting into the guest in the first place. Additionally we have placed extensive firewall rules in place to lock down the traffic entering the DMZ in the first place. Unfortunately this is probably as secure as you can get with that kind of configuration at the moment.

Charles
  • 879
  • 5
  • 9
  • Reassuring that this is permissable in an environment that is far more strict than my own. Thanks for the input. – Kara Marfia Jul 23 '09 at 20:04