Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How secure is KVM/QEMU with guests on different networks?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2514

PostPosted: Mon Jan 06, 2014 11:08 pm    Post subject: How secure is KVM/QEMU with guests on different networks? Reply with quote

Hi,

I don't really know where to put this: I'm trying to plan a lot of new stuff at the same time. The "stuff" includes:

  1. At least two VM hosts, probably both kvm/qemu.
  2. A bunch of VMs on them, some new some from older equipment.
  3. Multiple networks
  4. VPN endpoint
  5. 3 security-oriented switches/firewalls


This sounds more grandiose than it really will be, this is all financed out of pocket. The VM hosts will be new hardware, there is one existing VM host that will stay.

So the VM hosts are going to be there for redundancy primarily, and maybe security.

I have 4 networks based on security needs:

  1. DMZ: Not completely open, but all externally-accessible boxes -- real or virtual -- are here.
  2. NAT/Wifi: A typical home router, already here. Hooks into the same router that handles the DMZ and the VPN endpoint. Can see DMZ by the same rules that external hosts can.
  3. VPN: Public side is the external router, private side is the VPN-accessible network.
  4. Private: Hooks to VPN accessible network, but absolutely nothing can be initiated from outside, and specific rules allowed from inside.


This is going to be a combination of real hardware and virtual hardware:

  1. I was thinking a pre-built pfSense appliance for the external firewall/router, just so I know I have network access somewhere when my compilers blow up. :)
  2. I have endless quantities of laptops and phones and TVs and other digital cockroaches. These all go on the existing home router.
  3. The internal network appliances might be virtual.
  4. A lot of the VPN-accessible network will be virtual.
  5. The private-nothing-in network will have probably one workstation and the VM hosts.
  6. No wireless capability inside the VPN or private network.
  7. VM hosts donate all physical NICs to routers.
  8. VM hosts have a simple virtual connection to the private network and therefore through to the Internet for software updates and the like.
  9. NICs (both physical and virtual) are VLAN (802.1Q) aware for networking entities. (router/firewall/switch)


So finally my questions are regarding VLAN-aware VM hosts (802.1Q) which have guests on multiple networks:

  1. Are there security concerns from having VMs from different networks on the same physical host? Meaning, memory sharing, exploits related to KVM/Qemu?
  2. Are there security concerns for virtual networking hardware other than the concerns that would exist were the hardware physical?
  3. I would much rather have a really good README that's pertinent to these questions than having everyone try to solve my problem for me.


There are lots more questions, but I think this is enough for one post.

Thanks in advance.
Back to top
View user's profile Send private message
Januszzz
Guru
Guru


Joined: 04 Feb 2006
Posts: 367
Location: Opole, Poland

PostPosted: Sat Jan 11, 2014 11:14 pm    Post subject: Reply with quote

A readme you say. I would look at Ganeti mailing list, there were some great network setups and they should be aware of any security issues they may arise around.

So THATS a README :-)

Apart of your setup, ganeti is good option, but there should have been at least three nodes to feel comfortable ( my opinion only).
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2514

PostPosted: Sun Jan 12, 2014 2:39 am    Post subject: Reply with quote

I'll take a look at Ganeti.

Three VM hosts seems to be a magic number, leaving you with satisfactory performance when one goes down.

I already have a 1st-gen i7 that's a VM host. I think that's going to be the third node. I'm hoping to get two in quick succession or simultaneously that I mentioned in this project, and then use the older i7 as a backup/miscellaneous box.

Thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum