Creating a Virtual DMZ...Is it possible?

[vebnetman]

Hell I am new to virtual machines and networking.

I was wondering if I can mirror a physical topology where by server (virtual servers) are running in a virtual network separated from the green network via a firewall, thus creating a virtual DMZ. The servers in the virtual DMZ need to talk to each other as they offer public services such as web, dns, etc. My host computer is a single quad core 64bit Vista maxed out with memory and needs to be protected from traffic entering the virtual DMZ. I was wondering what virtual box uses to make the firewall....the NAT engine? If so is that fully programmable to accept forwarded outside traffic coming in on my host on all ports (or selected ports) to go to a single ip that represents my virtual DMZ firewall? I see the host only adapter that pops up when I installed virtual box, is it possible to manually configure this to be a gateway for all incoming traffic on all ports on my windows firewall?

[vbox4me2]

Simple, create a vm to function as a firewall/dmz/proxy/router, assign it 2 network adapters -bridge and internal, use them both to vm-bridge over the links and attach other vm's to your internal lan.

[BillG]

Just about any firewall strategy can be duplicated with virtual machines/networks. For simple traffic separation you can use a NAT router. For something more advanced you would run third party firewall software in the vm. If you want a genuine DMZ you need to run back to back firewalls - you would have a firewall between the public and DMZ network and another between the DMZ and the private internal network.

[vebnetman]

Thanks for starting points. I really appreciate it. I am going to look into running a small linux footprint as my software firewall. thanks again. If anyone has any ideas of a linux box setup that has a small footprint and can be used as a firewall please let me know.

[SimoneGianni]

I'm experimenting with pfsense. I want to create and "internal network" as you said, but also I find VirtualBox networking infrastructure a bit frustrating.

I need all the VMs to communicate with each other, on static ips, then i need all of them to connect to the "internet" (be it real internet or my office lan or whatever), some of them eventually to accept incoming connections, and all of them to communicate with the host.

In my idea, this was a single "VAN" (Virtual Area Network, just invented the name), comprising all VMs and the host, and VirtualBox doing a decent NAT. Unfortunately, this seems not to be an option, so I ended up configuring 3 interfaces per VM (one internal, one host only, one natted or bridged). VirtualBox NAT works, but lacks features of a real firewalling solution : it does not have a GUI for configuring inbound natting or DHCP rules for example, does not do DNS proxy so no internal names (hence the need for static ips) etc..

Also, I'm experiencing random diconnections on NAT interfaces, both from windows and linux hosts, requiring a network restart.

So now I'm trying with pfsense connected to host, bridged and internal, and all other machines on internal routed via pfsense. I know this will work, I don't know if it will be slow or have any other problems, but will let you know.

[BillG]

I would use an internal network for the private LAN and give the firewall vm two NICs - one in the internal network and one bridged to the physical network. Leave the host out of it all together. The internal network sees the physical network directly through the firewall vm. If you want DHCP in the private LAN, run it in the firewall vm.

If you really want the guests to communicate with the host (and I don't recommend it) do it through the host's connection to the physical network (ie regard the host as just another machine on the physical LAN).

Planning virtual networks is clearer if you regard the host as just a "black box" which powers your virtual machines and networks and leave it out of the network design.

[SimoneGianni]

pfSense is correctly running under virtualbox, in a VM configured for freeBSD, with default settings (only 128mb of ram, 2GB of hd, nothing else changed), and 4 nics on it. I have not installed guest additions on pfSense vm, freeBSD additions are not packaged into the default guest additions CD, I'm not that skilled on freeBSD administration, and I'm not that concerned with performances right now ... it works quite well also without guest additions.

The short story ends here, for full details ....

I'm using virtualbox under OSX for development, and I'm often not in my office, so I have some needs :
- I need to have VMs to communicate each others, cause in some I have development tools, in some I have deployed applications, in others I have different versions of databases or other servers to test integration on.
- I need to communicate from the host to some VMs, when I develop a webapp I want to see it using OSX browser.
- I need VMs to connect to "internet" (that is, outside the host, not necessarily all the internet), eventually over VPNs or cell phone connection or similar, that excludes using only bridged nics cause they bridge on a single interface.
- From time to time, I need to have colleagues of clients to connect to a process running inside a vm.

This is nothing more and nothing less I could obtain if processes were running on host directly, but it's quite difficult to obtain for processes running in virtualbox other than unsing a lot of command line utilities (or, if a simpler way exists, I have no idea of how to do it ).

In my previous setup, each VM had one nic for internal network, one for host communication, one for internet access. The internet access one was by default in NAT mode, but when I needed someone else to access to the VM from outsite I had to reconfigure it to bridged, as long as the network on which I was connected was willing to give me another IP address. Moreover, from time to time, Ubuntu (10.04, 64 bit) machines loose internet connection, apparently without any motivation, needing a restart of the networking system.

Also, VirtualBox network system does not offer an internal DNS system (so a lot of static addesses here and there) and its NAT system does not replace the DNS with an internal one, so every time my internet connection changes I had to restart networking on all virtual machines.

Now, with a pfSense VM, each other VM only needs an internal network nic, to communicate with pfsense. There I have a web interface to configure everything, from VM ip configuration and internal DNS resolution to inbound connections. Moreover, it does not expose entire (possibly insecure) VMs to the local (possibly insecure) network, but only the hardened pfSense VM that permits inbound only to services I want to.

The pfSense VM itself is complicated, with 4 nics (one NAT for generic internet connection, one bridged for inbound connections, one to the host and one to the internal network). pfSense is explicitly designed to act as a multi network router, so its quite easy to configure various routing options and works great so far.

I'm not a virtualbox expert, so I don't know if there are better ways to obtain the same without installing a specific firewall VM, so please comment if you know an alternative.

[BillG]

That all sounds fine. My only comment was that it could be simpler by bypassing the host. Your security risks are more likely to be with the network configuration of the host than with virtual networking per se. But if the only connection of the host to the physical network is through the firewall vm, everything should be OK.

Here is the first thing to check. Does the host OS have access to the physical NIC which is bridged to the "public" side of the firewall vm? If it does, this is a potential security leak. The host OS should not have direct access to this NIC. This NIC should not have an IP in the host OS. The host's only access to a network should be its connection to the firewall. An ifconfig on the host should show only one IP.

If the vms are on an internal network, they are fine, since their only access to the physical network is through the firewall vm.

[SimoneGianni]

Hi BillG,
yes, apart from the pfSense VM itself, now all other vms have only one nic connected to the internal network. There is obviously a bit of overhead in VMs connection to the outside world, but since I'm not using them as high profile servers but as test/devel environments it's okay.

The only thing that annoys me is that the pfSense VM always keep 10%/12% of CPU busy. A top inside the VM tells me these are "interrupt". Since other Linux VMs, even with the same three nics, were not exhibiting this behavior, probably it depends on guest additions. On all machines that have guest additions installed, i used completely virtual nics (virtio), while on the pfSense one I had to use the default Intel desktop cards cause there are no guest additions.

If someone can confirm that the interrupt overhead is caused by sub-optimal nic activity, installing guest additions on pfSense may be worth the effort to save that cpu cycles. Unfortunately pfsense does not come with a full freeBSD distribution, so the BSD package system (that supports a BSD port of virtualbox guest additions) is not (easily) available.