The environment we are looking at is as follows:
2008 Enterprise Core with Hyper-V and 4 physical NICs
NIC1 - Hyper-V management (Corporate LAN)
NIC2 - Virtual Network 1 with host access (Corporate LAN)
NIC3 - Virtual Network 2 w/o host access (DMZ)
NIC4 - Current unused
What exposure issues would this configuration have from NIC3 in the DMZ?
I know that when a physical NIC is assigned to a virtual network that only the virtual network switch protocol is bound to the NIC, but is there anything else from Hyper-V that is exposed from that NIC?
If a virtual guest in the DMZ virtual network were compromised, could the VM guest services be used to compromise the host?
Should VM guest services be installed on the DMZ guests?
At what point would it be prudent to invest in new hardware dedicated to be the host in the DMZ?
I'm just not finding answers to these types of security questions anywhere else.
Thanks for any help!!!
Charles
Hyper-V network security
July 20th, 2009 7:10pm
Hello,
The most important thing in this configuration is to have the seperate management NIC, which you have, and use that as the only place the host can be administered. The DMZ NIC is ok, provided you are ok with having your host exposed to a DMZ in the first place. Since you won't have the host manageable from the DMZ or accessable for that matter, your risk is significantly lower.I would certainly install guest services on the DMZ VMs. They cannot be used to compromise the host.
Nathan Lasnoski
http://nathanlasnoski.spaces.live.com
The most important thing in this configuration is to have the seperate management NIC, which you have, and use that as the only place the host can be administered. The DMZ NIC is ok, provided you are ok with having your host exposed to a DMZ in the first place. Since you won't have the host manageable from the DMZ or accessable for that matter, your risk is significantly lower.I would certainly install guest services on the DMZ VMs. They cannot be used to compromise the host.
Nathan Lasnoski
http://nathanlasnoski.spaces.live.com
- Marked as answer by CharlesBlair Monday, July 20, 2009 8:08 PM
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2009 7:26pm
The current default behavior is what you need to worry about.
In regards to NIC2 and NIC3.
In both cases you will be creating an "External" virtual network.
As you state the behavior is that Physical NIC is bound to virtual network switch, and then virtual NICs are bound to VMs.
However, when using Hyper-V v1 - the host receives a virtual NIC on all External Virtual Networks by default. This means that, by default, your host will have a NIC in your DMZ.
Since you are using the term "host access" I am assuming thatyou are using R2 - this default behavior is different.
If "host access" is off, then this virtual NIC to the host is not attached to the Virtual Network and therefore the External Virtual Network is for VM traffic in and out of the hardware only.
My only comment is that your host only needs one interface, and that should be kept on the management network only.
There is no reason to multi-home the host. Make it as tight and isolated as possible.
In regards to NIC2 and NIC3.
In both cases you will be creating an "External" virtual network.
As you state the behavior is that Physical NIC is bound to virtual network switch, and then virtual NICs are bound to VMs.
However, when using Hyper-V v1 - the host receives a virtual NIC on all External Virtual Networks by default. This means that, by default, your host will have a NIC in your DMZ.
Since you are using the term "host access" I am assuming thatyou are using R2 - this default behavior is different.
If "host access" is off, then this virtual NIC to the host is not attached to the Virtual Network and therefore the External Virtual Network is for VM traffic in and out of the hardware only.
My only comment is that your host only needs one interface, and that should be kept on the management network only.
There is no reason to multi-home the host. Make it as tight and isolated as possible.
July 20th, 2009 8:00pm
Nathan and Brian,
Thank you for the quick responses to my questions.
This information will help out a lot in drafting security policies for our virtual environment.
Thanks again!!
Charles
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2009 8:20pm
As i am doing Master in computer science and i am going to submit my research proposal in next month. I need guideline. 1. What are the hyper v security issues? 2.what are the weak points of hyper v with respect to security. It will be great if some one
help me out in this.
March 9th, 2015 2:25am
This topic is archived. No further replies will be accepted.
Other recent topics
