[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] Security implications of putting VMs on different net

From: Tony Su
Subject: Re: [Qemu-discuss] Security implications of putting VMs on different networks?
Date: Mon, 13 Jan 2014 11:10:05 -0800

 The described configuration is totally confusing, especially when the
terminology used is inexact (eg vitualization servers? Is that
supposed to be virtualized Guest servers or actually physical hosts?)

And, the use of "virtualized routers" is a mystery. In some situations
it's necessary, but in many totally unnecessary.

I suspect the mysteries are mainly explained by lack of virtualization
Recommend you setup something simple just to get used to it. Explore a
bit, particularly noting how you can bind virtual networks to
individual physical adapters, and how each type of networking works
(bridging, NAT, Host only). See what machines can communicate with
each other configured with different networks.

That should give you plenty of foundation to setting up what you
describe because I don't think you're trying to setup a complex
network. If you were talking more about things like a great number of
networks or networks tunneled within other networks, then I'd point
you in a different direction.

And, as far as reliability, recovery, etc...
I don't see that would be much of an issue for what I think you're doing.


On Sun, Jan 12, 2014 at 10:44 AM, Ken Roberts
<address@hidden> wrote:
> Hi,
> I am contemplating a SOHO network with 2 virtualization servers, and
> virtualized network hardware.
> I would like to know how rational this is, from a security standpoint and
> from a stability standpoint.
> Proposed host model, times 2:
>   - 1x ethernet on-board
>   - 4x ethernet card
>   - SSD(s)
> Backups and less-used VMs will be on separate hardware NAS, maybe a
> Synology.
> My intent is to donate all physical NICs to virtualized routers.
> My network configuration would be as follows:
> R1: External firewall/router.
>     - Connects to DMZ and NAT networks, and to VPN endpoint.
> R2: NAT.
>     - Connects to main router.
>     - This is a SOHO router appliance and will be the only wireless
> component.
>     - Can access DMZ and VPN endpoint as though it were on the greater
> Internet.
>     - No VMs here.
>     - This is where all the guests and digital cockroaches go.
> R3: VPN endpoint.
>     - Connects to main router, or alternately the endpoint exists inside
> DMZ.
>     - Only public route to the VPN-secured network, of course.
> R4: Private-only.
>     - Absolutely everything blocked unless initiated from inside.
>     - Outbound blocked except for specific cases (software updates)
>     - Contains the VM hosts virtual network connection.
> Just to be clear, there are 3 virtualized routers and 1 physical router.
> The virtualized routers have one or more physical interface as needed.  The
> physical interfaces will be VLAN-aware, 802.1q compliant.  I guess that some
> of the virtual interfaces will need to be as well.
> OK so here's the complication:
> I want to know if it's rational to have R1, R3 and R4 be virtual routers.
> I would like to mirror the routers on both VM hosts, so if one host goes
> down I have another one available just by swapping wires.
> It would be nice if I can make these redundant routers active, so speed
> between VMs on the same host can be fast.
> Is it risky to have VMs on the same host be on different networks?
> Am I going about this the wrong way?
> Thanks.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]