[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-discuss] Security implications of putting VMs on different net
|
From: |
Blaster |
|
Subject: |
Re: [Qemu-discuss] Security implications of putting VMs on different networks? |
|
Date: |
Sun, 12 Jan 2014 13:12:18 -0600 |
I gave up on the virtualized network services idea, It was way too complicated
having it hosted on a general purpose computer. If something failed, you had
no Internet for however long it took you to put it all back together. (and no
Google to help you do it…)
That means I had a house full of Internet hounds (Facebook, Netflix, Twitter,
school homework website, etc) hounding me until it was all back up.
I went with a SOHO router, the Ubiquiti Edge Router Lite to handle the network
services. They were only $90 each, 3 ports, VPN, DHCP, DNS, 802.1q, etc. One
is in production and the other sits on the shelf for a cold standby. The
config is backed up every night. If it fails, the new one is pulled off the
shelf, the backed up config is loaded, and I’m back up in 10 minutes.
Look how much you are spending on SSD storage, ethernet ports, CPU power,
electricity, etc. VS $90 for a little dedicated box that does it all.
Now I have the freedom to take down my servers anytime I want to reconfig,
reload, patch, etc, w/o having to stay up past everyone’s bed time to do it.
If you don’t like the Edge Routers, Mikrotik is another popular product.
On Jan 12, 2014, at 12:44 PM, Ken Roberts <address@hidden> wrote:
> Hi,
>
> I am contemplating a SOHO network with 2 virtualization servers, and
> virtualized network hardware.
>
> I would like to know how rational this is, from a security standpoint and
> from a stability standpoint.
>
> Proposed host model, times 2:
> - 1x ethernet on-board
> - 4x ethernet card
> - SSD(s)
>
> Backups and less-used VMs will be on separate hardware NAS, maybe a Synology.
>
> My intent is to donate all physical NICs to virtualized routers.
>
> My network configuration would be as follows:
>
> R1: External firewall/router.
> - Connects to DMZ and NAT networks, and to VPN endpoint.
> R2: NAT.
> - Connects to main router.
> - This is a SOHO router appliance and will be the only wireless component.
> - Can access DMZ and VPN endpoint as though it were on the greater
> Internet.
> - No VMs here.
> - This is where all the guests and digital cockroaches go.
> R3: VPN endpoint.
> - Connects to main router, or alternately the endpoint exists inside DMZ.
> - Only public route to the VPN-secured network, of course.
> R4: Private-only.
> - Absolutely everything blocked unless initiated from inside.
> - Outbound blocked except for specific cases (software updates)
> - Contains the VM hosts virtual network connection.
>
> Just to be clear, there are 3 virtualized routers and 1 physical router. The
> virtualized routers have one or more physical interface as needed. The
> physical interfaces will be VLAN-aware, 802.1q compliant. I guess that some
> of the virtual interfaces will need to be as well.
>
> OK so here's the complication:
> I want to know if it's rational to have R1, R3 and R4 be virtual routers.
>
> I would like to mirror the routers on both VM hosts, so if one host goes down
> I have another one available just by swapping wires.
>
> It would be nice if I can make these redundant routers active, so speed
> between VMs on the same host can be fast.
>
> Is it risky to have VMs on the same host be on different networks?
>
> Am I going about this the wrong way?
>
> Thanks.
>