[Solved]All in one Server PART II

[jduped]

I haven't posted in a while...been at school, thats all done so now back to Linux projects.  This is so out there that I feel bad for asking, yet I ask anyways, as this has been the best community I've been able to fence questions to.

I'm running my server on CentOS, tried with vector and couldn't get my software raid1 arrays to read and mount properly, any who, all that stuff is sorted, I have active shares that exactly how I want them.  On this same box I was planning to make it double as a router as well.

now I had an interesting idea, and I'm not sure how to execute it.  Using a virtual machine I want to load a linux security distro such as ipcop or pfsense or m0n0wall all of which I've used prior to this but they had there own machine. so that it will run route and protect my network, as if in its own box but doubled up and running at the same time as my native os.

The box I'm trying to do this on is

amd 4200+ dualcore
1 gig ram
3 nics 1 10/100 2 1000

it runs a samba server as a main o/s

in the vm I want a *nix security distro probably going to be IPcop as I have the most experience with that one...I want it to be capable of starting with the host o/s or after the host o/s is started with out any external clicks or commands so I may need some help with a script.

Ideas? Suggestions? am I nuts? (the last one is rhetorical)

[bigpaws]

You do have enough machine for the job.

The first problem will be a reverse bridge in order
to get the routing in the right direction.

Second a vm is not classed as secure.

Those are the things that come to mind at
the moment. I am sure I will think of more.

Bigpaws

[jduped]

I have extra nic's so I was thinking of assigning the VM two nic's of its own so the cable comes in, and out through those nics then comes back in via a switch to the third nic.

From what I was reading there is different types of VM's and I've only ever used vm's to just test out os's and software...

http://en.wikipedia.org/wiki/Comparison_of_virtual_machines

thats a neat link, but I'm still lost on the type of vm to use that will provide the best security.

[bigpaws]

You need to do alot more reading and understand the structure
of how a vm works. All the hardware is emulated. There is at this
point no way of removing the routing from the host to the vm. You
are trying a reverse routing scheme.

I am not saying it is not possible however there will always be
packets going from the host to the vm, there is no way to seperate
them that has been worked out. Therefore  security is reduced.

It maybe that since a firewall vm is used for testing, it is but in a
virtual network.

Here is a visualization (actual):

Internet <---> Nic1<--->HostOS <---> VM <----> Nic2 (Internal Network)

Your thoughts:

Internet <---> Nic1 <---> VM <---> Nic2 (Internal Network) <---> Host OS (Nic3)

HTH

Bigpaws

[nightflier]

Wow. Jduped, you sure are not afraid of taking on challenges 

I have never done virtualization, but see the problems that bigpaws points out when running a vm on a host OS.

From what I understand, solutions like type 1 hypervisor (hardware virtualization?) operate below both OS's. Maybe that would be worth researching.

[jduped]

I am a gluten for pain, thats no lie...

Being that there is many different types of virtualization, some running in parallel to the guest o/s wouldn't it be possible to set it up so that a section of resources are blocked off and run at a lower point so that the guest o/s isn't touched what so ever, short of resource sharing?

I was reading on this great how-to website. "Instructables"

http://www.instructables.com/id/How-To--Run-an-IPCop-Virtual-Machine-to-Protect-y/

Thats the exact link that spawned the idea...now in the way this guy is doing it, hes making more a layer 6 firewall then what I'm really looking to make is a layer 3 firewall but I really liked the idea of having it on a vm, thus saving having a second computer when this box is more then capable of doing the routing.

and my thoughts are exactly how you have it put down bigpaws.

I know I could just use my current os on the box to make a firewall, I just thought adding the vm layer would be better security and if some one was able to hack the vm box they'd also be dropping the network and there path to my machines at the same time. A secondary box is available, plus being that I'm running cent os I could lock it down and add the needed modules to make it route...I'm just thinking if vm is possible then I don't have to tweak much out just use a distro intended for security and route through it.

[bigpaws]

Being that there is many different types of virtualization, some running in parallel to the guest o/s wouldn't it be possible to set it up so that a section of resources are blocked off and run at a lower point so that the guest o/s isn't touched what so ever, short of resource sharing?

None of the virtualization methods that I have researched do this. Think about it
if that were true then there would not be a need for a "HostOS". As well as having
full 3D performance (QEMU has some of that code written as well as VMware). That
you could also total take down the NIC and everything else would work at the VM.

The mention that the HostOS is not touched is not really correct, the
method is using a loop back device.  Then that is used to then loop
into the real NIC. As I hope you can see the device is being used by the
HostOS in both directions.

Second since there is a HostOS then you have the inherent security problems
with also the security problems with virtualization.

Bigpaws

[jduped]

I see what your saying it was just one of those simplified ideas on top of what I was planning.  Because of the way it does it it would at best be a layer 6 firewall which is vulnerable, probably more so if intended to operate at layer 3.

Being that I am running a linux box I could set up some iptables, the idea is so I can have a safe segregated section of the lan for my boxes and data services.

Good enough. 

Thanks Big paws