Isolate computer network card from main OS

-1

I am starting a project with my old computer, planning to make it into an economic multifunction server, but I am new to networking, servers, virtualization and firewall-Antivirus-Anti-spam software.

The first role that it will play will be a gateway between my modem and my router. I am planning to use Untangle lite version to act as a firewall, antivirus, antispam, etc, to protect my LAN and remove the AV and AS software on my other computers in order to improve performance. I'll have an additional network card with two (or more) slots, with one slot connected to the modem, and another to the router.

Secondly, it will act as a backup storage server, doing regular backups of many devices on my LAN.

As a gateway firewall need to be operating on a standalone OS (correct me if I am wrong), I was thinking of virtualizing Untangle with VMware player, which will run on the main OS of the server, filtering packets as they arrive from the router and delivering clean packets to the LAN. The server would then be connected to the router on the network slot of the motherboard, isolated from the network card, where the packets are getting filtered by the VM.

My question is: is it possible to dedicate the network card to the VM, in order to isolate entering packets from the main server OS, and the server data? Is it safe? Are there better way of doing it?

Any help, tips, recommendations are welcome!

Thanks

louis

Posted 2014-10-14T01:34:19.320

Reputation: 25

Is there a reason you can't use vSphere or XenServer instead of VMWare Player? – lzam – 2014-10-14T01:53:58.410

That you wish to put it outside your main firewall, indicates that it should only perform public roles, like firewalling, mail hosting, web hosting, VPN/SSH, etc. Servers like these are very vulnerable to attackers, so it is generally accepted that they should support no internal services, which give adversaries greater surface area for attack. In your case, I'd strongly recommend that you don't use it for backup (or in fact any) storage. in the end, your storage is the thing you need to protect the most. – Frank Thomas – 2014-10-14T02:22:40.177

Answers

0

No, it is not possible to attach NIC hardware directly to the VM such that the host is not processing the signals at all. doing so would break the VMWare virtual drivers that allow the VM to receive and decode the signals.

you will have to rely on IP configuration to ensure that your packets flow in the right logical fashion.

Frank Thomas

Posted 2014-10-14T01:34:19.320

Reputation: 29 039

If I have understand what you explained, packets couldn't target the data residing on other OS than the VM, though the drivers for NIC hardware could be affected. – louis – 2014-10-14T02:32:09.037

I'm afraid I'm not understanding your assertion. Packets target services, so the key to network boundary security is to prevent the exposure of any sensitive services to unauthorized users. Services however usually have flaws, so keeping the unauthorized communications from reaching the service is critical to securing it. only very mature services like ssh or apache2, in secure configurations, should ever be exposed to the public. – Frank Thomas – 2014-10-14T02:38:43.290

Asked: 2014-10-14T01:34:19.320

Viewed: 157 times

Active: 2014-10-14T02:27:20.797