Best way of isolating VM's to protect network?

networking virtualization firewall vlan subnet
6,788

I'm not sure if you're asking for general guidance on locking systems down or asking if anything special has to take place because of the virtualisation, so I'm going to try and address both issues.

Nothing magical happens here, either good or bad, just because these machines are virtual guests; how would you secure the machines if they were physical servers? Ok then, you still do that (and my version of "that" is outlined below).

Each virtual guest should be secured as you would normally, and you should be wary of hosting any software on the internet-facing virtual machines that expose the workings of the virtual hosts (for example, don't install the VMWare management console on one of them, don't directly expose the virtual server storage, etc).

What typically should happen is that you protect your servers via a firewall with a "default deny"(1) policy that only exposes the services you wish to expose to the Internet. If you haven't got a decent firewall and/or you haven't configured it in a "default deny" configuration then you need to do this right now.

With that done, you now have a minimal "attack surface", which means you can concentrate most of your energy on securing and monitoring and patching these services that have been exposed to the outside world.

Your virtual hosts should remain secure because you've only exposed a few services on a few virtual guests, so the IP addresses of the virtual hosts themselves are not exposed to the Internet.

Having said all that, it's not a bad idea to use the VLAN facility you mention to place the IP addresses you're exposing for the internet facing virtual guests in their own isolated vlan away from any management interfaces for the virtual hosts and any other servers/infrastructure you may have.

It may also be worth considering tools like tripwire to monitor your systems for changes, if you're worried.

(1) Default Deny is a firewall policy/set of rules that ensures that everything is blocked by default and that you only open the ports/services that you need to open. This should ensure that only the services that absolutely need to be exposed are exposed, and while it is not a security panacea, it does greatly improve your chances of keeping your servers and your network secure.

Share:
6,788

Related videos on Youtube

dannymcc
Author by

dannymcc

Updated on September 18, 2022

Comments

  • dannymcc
    dannymcc over 1 year

    On our network (1.0/24) we have a number of servers. One of those servers is running VMware ESX with three virtual machines which are hosting various websites and applications to the outside world.

    Currently the server and each of the VM's have their own local IP address on the same subnet and physical switch as the rest of the network.

    I am wondering about the security implications of this. I want to be safe in the knowledge that I haven't left any gaping security holes open. I presume that because the VM's are online and are advertised online that it wouldn't take much effort to trace the local IP and instantly see the other devices (assuming the intruder had a reasonable level of skill & knowledge).

    I know that the Netgear prosafe switches that we use support VLANS, and I know the Draytek Vigor 2820 router we use supports both VLANS and a second subnet(?).

    I am wondering what the "normal" solution would be and if I need to go as far as setting VLANS up or whether some firewall rules could do this?

  • dannymcc
    dannymcc over 12 years
    Thanks for the answer. I have configured a Deny All rule on the main (only) router firewall and also on the Ubuntu server (within a VM). I believe in terms of firewalls I have done all I can (with my level of knowledge at least!). Tripwire looks good, perhaps a little overkill for our needs but time will tell.
  • Rob Moir
    Rob Moir over 12 years
    @dannymcc tripwire may well be overkill, but its nice to know about it and make your own choice, I think. It sounds like you're doing everything right to me.
  • dannymcc
    dannymcc over 12 years
    The VMWare server has a local IP address but has no route from the outside world. The individual VM's do have a public address.
  • dannymcc
    dannymcc over 12 years
    Am I correct in saying a network zone == vlan?
  • Niko Gunadi
    Niko Gunadi over 12 years
    Yes, by using vlan, you create new network zone.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Routing between subnets on different vlans connected by a router/firewall
how to split up network into two subnets with only one router
How to find CIDR subnet for a public Internet IP address?
Setting up a server with two NICs using two separate subnets (each on a different VLAN)
How to get 192.168.3.2 to successfully ping 192.168.2.3
Advice for configuring a SonicWALL NSA 2400 to use two subnets and L2 Bridge Mode
How can I create a VLAN on my extreme switch for a separate subnet/domain?
Best Approach for subnetting/VLANing traffic?
Best way to segment traffic, VLAN or subnet?
Creating VLANs between network namespaces