Virtual Machine Isolation

[Anteaus]

I have a scenario which I would like advice on and I would be grateful to anyone who offers some..

I am currently running Windows 10 Pro as a headless file server at home. I want to install a Linux VM which will operate as a game server, therefore it will be exposed to the internet via DMZ. I have a second NIC that I plan to use with it.

The VM will be completely contained and does not require access to the underlying host OS file structure.

What are my immediate security concerns with this setup? I realize that a trained hacker can always gain access, but are their basic steps I can take to prevent casual attention?

My single worry is that once any part of the machine is exposed to the DMZ it may compromise the entire machine.

Thanks in advance.

 

[yinan]

You really shouldn't use a DMZ, you should only open up the required ports.

Your concern is valid, but it is really hard to escape the isolation of a virtual machine. If you want even more security, consider running the free version of ESXi.

 

[Anteaus]

You really shouldn't use a DMZ, you should only open up the required ports.

Your concern is valid, but it is really hard to escape the isolation of a virtual machine. If you want even more security, consider running the free version of ESXi.

Forgive my lack of knowledge on firewalls...your saying I could just forward the necessary ports and it would work the same? Or do you mean I should just do what I plan with exception that I should use port forwarding instead of using DMZ?

Thanks.

 

[dave_the_nerd]

Forgive my lack of knowledge on firewalls...your saying I could just forward the necessary ports and it would work the same?

Yes.

Or do you mean I should just do what I plan with exception that I should use port forwarding instead of using DMZ?

Yes.

Same thing.

The VM is fine.

 

[Red Squirrel]

Setup vlans, and put the VM on a separate vlan. You can then setup rules for inter-vlan routing should the VM need access to anything on the network or vise versa but by default you want to block everything. That means if the game server is compromised, they cannot escape that vlan. I have several vlans on my network for this purpose, it helps segregate stuff should something get compromised. My wifi is on a separate vlan, and I have a separate ssid for guests that is on it's own vlan as well. I also have a "internet facing" vlan, which is where anything that faces the internet (game server etc) is put on, each VM is treated as if it was directly facing the internet (full firewall, brute force protection etc) and then I forward the ports required. That vlan has zero access to the rest of the network and minimal internet access.

 

[Anteaus]

Setup vlans, and put the VM on a separate vlan. You can then setup rules for inter-vlan routing should the VM need access to anything on the network or vise versa but by default you want to block everything. That means if the game server is compromised, they cannot escape that vlan. I have several vlans on my network for this purpose, it helps segregate stuff should something get compromised. My wifi is on a separate vlan, and I have a separate ssid for guests that is on it's own vlan as well. I also have a "internet facing" vlan, which is where anything that faces the internet (game server etc) is put on, each VM is treated as if it was directly facing the internet (full firewall, brute force protection etc) and then I forward the ports required. That vlan has zero access to the rest of the network and minimal internet access.

Thanks for the info. I did pretty much what you suggested. I created a Hyper-V VM with Ubuntu Server with a dedicated NIC and locked it down except for the necessary ports.

Now I just need to figure out how to get MySQL 5.6 installed. The official Ubuntu repository only contains 5.7 and higher.