LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Virtualization and Cloud
User Name
Password
Linux - Virtualization and Cloud This forum is for the discussion of all topics relating to Linux Virtualization and Linux Cloud platforms. Xen, KVM, OpenVZ, VirtualBox, VMware, Linux-VServer and all other Linux Virtualization platforms are welcome. OpenStack, CloudStack, ownCloud, Cloud Foundry, Eucalyptus, Nimbus, OpenNebula and all other Linux Cloud platforms are welcome. Note that questions relating solely to non-Linux OS's should be asked in the General forum.

Notices

Reply
 
Search this Thread
Old 11-07-2009, 11:00 PM   #1
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
Question Can You Bind Virtualized Server to a Specific NIC?


I'm playing around with ideas, and the thought occurred to me that a virtual server is more secure than a non-virtual server, if for no other reason than it's running within a controlled space and can't affect anything outside of that space. Now if you could bind a virtualized server (say an email or FTP server) to a specific NIC, and have multiple NICs on the physical server, you could have a firewall (iptables) running on the hosting server (outside the control of the virtualized server) and controlling who could connect to that NIC, and who that NIC could connect to.

Seems to me that virtualized server would be more secure than if it were running on it's own physical server. And if you hardware supports it, you could have another virtualized server running on the same physical server, bound to it's own NIC, and thus have two more-secure servers running more economically and more safely than you could if they were all running on their own physical servers.

Am I on to something? Can you run two virtualized servers on one physical host, and bind each virtualized server to it's own NIC?
 
Old 11-08-2009, 02:01 AM   #2
chiragrk
Member
 
Registered: Nov 2009
Location: India
Distribution: Xandros, Ubuntu
Posts: 74

Rep: Reputation: 16
I'm not sure if I fully understand your question here. Are you asking if you can run 2 different guest OS and bind them them 2 different NICs (this is definitely possible)?
IMHO, the term virtualized server is used loosely in your post. Are you trying to use an OS or application in a virtualized enviroment?
 
Old 11-08-2009, 03:42 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by Jim Bengtson View Post
the thought occurred to me that a virtual server is more secure than a non-virtual server, if for no other reason than it's running within a controlled space and can't affect anything outside of that space.
The pivotal keyword here is "if". Depending on what you run and how you run it here may be ways to break out of the guest. Even if there aren't any your virtualization product of choice may be affected by other issues so it's always good to keep up to date and check regularly (http://cve.mitre.org/cgi-bin/cvekey....ord=virtualbox, http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=qemu, http://cve.mitre.org/cgi-bin/cvekey....word=virtuozzo, http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vmware). I vaguely remember at least at three times killing my VMWare Server host by doing some VM guest ops...


Quote:
Originally Posted by Jim Bengtson View Post
if you could bind a virtualized server (..) to a specific NIC, and have multiple NICs on the physical server, you could have a firewall (iptables) running on the hosting server (outside the control of the virtualized server) and controlling who could connect to that NIC, and who that NIC could connect to.
NICs, as in MAC/address pairing, are only interesting from a LAN point of view as in OSI layer 2. Between networks it will just be OSI layer 3 and up. For example if you use a VMWare Guest in bridge mode it will already present itself as any other client on the LAN with a unique MAC address, so that basically takes care of isolation. One of the network best practices is to divide a LAN in segments and assign a range as DMZ in which servers may have more restrictions. Since for virtualization it doesn't matter which client performs what task, for testing and educational purposes or if you don't already have or want to use a GNU/Linux router with three physical interfaces, how about setting up one VM guest as router (have a look at Vyatta community edition?) and let it take care of DMZ DHCP'ing and routing for other VM guests?.. A more convoluted approach, again using VMWare, could be to bind all VM guest to vmnet1,3 or 8, then make the host route traffic between networks. In short most things you can think of are possible (and not that I'm a virtualization or otherwise guru) but I wonder what you would gain from two physical NICs in terms of routing and security. Maybe in terms of performance if you have TOE NICs.
 
Old 11-09-2009, 07:56 AM   #4
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,042
Blog Entries: 1

Rep: Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369
Hi,

Quote:
Originally Posted by Jim Bengtson View Post
I'm playing around with ideas, and the thought occurred to me that a virtual server is more secure than a non-virtual server, if for no other reason than it's running within a controlled space and can't affect anything outside of that space.
Not really! The idea of a virtualized server being secure because of containment within a controlled space (container) is correct as long as there is no communication layers to the outside world. Since this is a server then you would want to have a means to service but to who? If the server is contained and working only in the immediate environment then no problem. If you are going to have a independent means of communication via isolation methods then yes the 'VM-Client Server' will be secure. I belief that you are confusing the isolation(s) created by host-client relationship.

Quote:
Originally Posted by Jim Bengtson View Post
Now if you could bind a virtualized server (say an email or FTP server) to a specific NIC, and have multiple NICs on the physical server, you could have a firewall (iptables) running on the hosting server (outside the control of the virtualized server) and controlling who could connect to that NIC, and who that NIC could connect to.

Seems to me that virtualized server would be more secure than if it were running on it's own physical server. And if you hardware supports it, you could have another virtualized server running on the same physical server, bound to it's own NIC, and thus have two more-secure servers running more economically and more safely than you could if they were all running on their own physical servers.
No, you are using the facility of the Host. Sure the independent hardware could be setup for each server but why. That's why you are using the VM to begin with, utilization of existing hardware without duplication between many clients. The idea behind VM is the ability to have many clients sharing existing hardware on the host thus not needing independent hardware systems to do the same.

As for your;
Quote:
Originally Posted by Jim Bengtson View Post
Am I on to something? Can you run two virtualized servers on one physical host, and bind each virtualized server to it's own NIC?
Yes, you can run more than one client on a host. The actual usage will depend on the resources of the host.

 
Old 11-10-2009, 09:50 AM   #5
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Original Poster
Rep: Reputation: 38
Question

Here's the story: I'm mentoring a group of high school students who have formed an IT club. Every year they compete in a cyberdefense competition at a nearby university: http://www.it-adventures.org/itolympics.html

Every year the rules of the contest change...here's last year's scenario.


Quote:
You are in charge of installing a new CDC site. As such, your team has been assigned the task of designing a secure network that will hold up to attack and keep client information secure. You must maintain servers for the advertised services (more detail below), and be able to guarantee the security of the data. There are many issues to be addressed, as flexibility and usability are of the utmost importance, but the security of client data cannot be sacrificed in the process. Protected data may reside on any of the servers, as clients can log into any of the advertised services. Your DNS will be handled by CDC corporate. As such, you must use the IP addresses assigned for each service, shown below.

You will be given a list of user names and passwords that must be implemented on every advertised service. You cannot change these passwords.

The network must provide the following services:
Web Server (siteN.cdc.com - X.X.X.50)
Mail Server (mail.siteN.cdc.com - X.X.X.100)
Remote Desktop Server (rdp.siteN.cdc.com - X.X.X.150)
Firewall (optional)

In training for this years contest (the rules of which have yet to be published), I'm having the kids rebuild the network from last year's contest, and having them address the issues we missed last year. Here's our network from last year:

Code:
                    ((internet))
                         |
                 [firewall: pfSense]
                         |
                     <router>
     +-------------------+--------------------+
     |                   |                    |
[web server: Apache]     |       [remote desktop server]
                         |
                   [email server]
This never got off the ground because we didn't understand how to configure pfSense (what documentation existed really sucked), and ended up blocking all traffic. We never got hacked, but our users were never able to connect to our services.

This year we're going to try Vyatta as our firewall, primarily because it has a lot of very well-written documentation and because it's based on Debian. Our servers will be Ubuntu 8.04 or 9.10 (depending on what security holes become fixed or known between now and contest time), so the kids will be familiar with the OS on all the servers in the network.

In addition, I'm thinking of rearranging the network by making the web server a bastion host AND an internal firewall. I figure the web server will have the most security holes anyways, and is most likely to get hacked, but it might be able to protect the servers behind it.

(Side note: last year the contest organizers gave everyone a virtualized web server, complete with content...and no one understood how to manage it or what to do with it. We just used their install program and made sure the server didn't get unplugged. Naturally, every team missed the PHP file upload control they had embedded on one of the pages they gave us. This year we're going to use SELinux or AppArmor to isolate the web server from the OS, and hopefully mitigate the damage they can do if they try this kind of trick again.)

I'll also have iptables configured on each server, and SELinux or AppArmor running to wall off the applications on those servers:

Code:
                  ((internet))
                       |
              [firewall: Vyatta]
                       |
       [web server: Apache or Hiawatha]
   [2 NICs: one to firewall, 1 to other servers]
                       |
                    <router>
           +-----------+--------+
           |                    |
    [email server]     [remote desktop server]
We're limited to four computers; I was toying with the idea of using virtualization to combine the web server and email server on one physical machine, and setting up the free box as a command center bastion, like so:

Code:
                  ((internet))
                       |
              [firewall: Vyatta]
                       |
          [Command Bastion: Ubuntu Desktop]
      [intrusion detection tools, common log, etc]
    [2 NICs: one to firewall, 1 to other servers]
                       |
                    <router>
           +-----------+-------------+
           |                         |
    [virtualized host]      [remote desktop server]
      |         |        
      | (web server: Apache or Hiawatha)
    (email server)
We're supporting less than a dozen users, so the hardware should be up to the load. The command bastion will be an internal firewall and will monitor all traffic on the few ports we allow in past the Vyatta firewall. If I can figure out how to enable tarpits in netfilter, then I'd use it to slow down the red team (their first port scan would take them longer than the competition to complete).

I was thinking to use separate NICs on the virtual host so that each virtualized service would have it's own NIC, it's own IP address (as required by the rules), and it's own iptables configuration.

Would virtualization help me in this regard? Is this plan feasible, or am I missing something?
 
Old 11-10-2009, 01:04 PM   #6
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,042
Blog Entries: 1

Rep: Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369
Hi,

You should look at the definition of a 'mentor'. I'm not being smart here either. I've mentored a lot in the past when I was still at the University. Let the 'a group of high school students who have formed an IT club' develop a scenario then advise. That way you can 'mentor' not take the reins, nor hand holding.

If indeed this an educational competition then I'm sure there are control limitations/policies that restrict direct control by a non-student. Thus having a fair competition. It's great to win but do it by following good ethical and moral actions;

Quote:
excerpt from 'mentor';

To serve as a trusted counselor or teacher to (another person).
Competition is great but you do need the students to be the one's that are directly evolved therefore they will learn from the experience whether they win or not. Just my

 
Old 11-10-2009, 01:22 PM   #7
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Original Poster
Rep: Reputation: 38
Quote:
You should look at the definition of a 'mentor'.
I know...it's a narrow path. But as I said:

Quote:
In training for this years contest (the rules of which have yet to be published), I'm having the kids rebuild the network from last year's contest, and having them address the issues we missed last year.
This is an exercise based on what they did last year...to learn what they did wrong and see how they might have done it differently. It's called "teaching", which falls under the definition of "mentor" you posted. They have to learn how to build their own network in response to the rules and scenario for this year's contest, which has yet to be posted.

But I want to make sure I teach them right, which is why I've posted two different scenarios here and asked for advice. I don't want to tell them how to do it, especially if I'm telling them wrong.

I want them to learn to look at the challenges and possibilities and choose the best options for themselves. But first I have to teach them what the options are, and why certain choices make sense in one scenario and not in another. So I'll show them how to build a network that answers last year's scenario, so they can learn. Then when this year's scenario is posted I can ask them how they want to build the network, and advise them where necessary ("did you consider this possibility?" "how will you configure the firewall on that server?" etc.)

To that end, are the scenarios I posted workable? Am I teaching them soundly, or leading them down the wrong path?
 
Old 11-10-2009, 01:37 PM   #8
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Original Poster
Rep: Reputation: 38
Smile

One more thing...this network exercise is only part of what I'm teaching them, and it's the part they won't get to for some weeks yet. First I'm teaching them to love (or at least tolerate) the CLI, and how to use the tools they'll need to use to manage a Linux/UNIX server.

The school received a donation of some old IBM Thinkpad laptops from a local business...most were stickered for Windows 2000...and gave them to the club. We took them, wiped the hard drives, and installed Ubuntu Server 8.04 LTS on them (no applications, i.e. Apache...just the plain-vanilla server). I assigned one to each of the kids on the cyberdefense team, and then I assigned them some homework. Here's the first assignment:

Quote:
SETUP
The first thing you'll need to to is set up a place to study. Some of the homework I'm going to assign will be online; some will be PDF documents you can print out or view. Either way, you won't be able to use the server PC to view this homework because the Linux Server does not have a GUI interface. So the best place to set up is next to a computer that does have a GUI interface and an internet connection (NOTE: some of the time the Linux server PC will need to be able to connect to the internet, but most of the time it will not).

Set the Linux Server PC up next to your "GUI" computer, and you can read the PDF (or online content) as you type the commands on the laptop.
==================================================

ASSIGNMENT #1: BASH and VIM
BASH is the "shell" program that you use to type commands to Linux. There are many such "shells", but the one that is standard with Ubuntu Server 8.04 is BASH ("Bourne Again Shell"). You need to get comfortable with it. This link[1] is to an IBM developerWorks tutorial on basic Linux commands; just follow along on your Ubuntu server.

Most of the management of Linux is through text files. You have configuration files (often named something like "somefile.conf", where ".conf" means "configuration"). These give programs some of their basic information, such as where their home directory is, where to store data, etc. Other files are "batch" files...essentially lists of commands that are executed in sequence just as if you had typed them at the command line. Both of these types of files need a text editor to write or modify them, and that's where VIM comes in.

VIM is an enhanced version of VI, the text editor that can be found on virtually every Unix-type system. The attached PDF file[2] will teach you how to use VIM. Follow the tutorial using your Ubuntu server. Don't forget that Ubuntu Server has you as a regular user, not ROOT; you may need to use "SUDO" to make some commands work. There have been many times I've made changes to a text file only to find that I don't have authority to save those changes, and then have to use "sudo vim myfile" to re-open the file using root's authority, and re-enter my edits. Please don't try to work around this by using su; you need to be comfortable with the enhanced security sudo provides us. Also, one of the tasks asks you to insert a file into the file you have open with the command ":r .bash_profile"... ".bash_profile" refers to a text file that was on the author's computer, and will most likely not be on yours. Replace ".bash_profile" with the name of a file you know already exists on your computer.

RESOURCES
[1] "Learn Linux, 101: The Linux command line"
[2] "Vim Hands-On Tutorial"
The kids finished this lesson the first week, and now are working on the second lesson:

Quote:
Homework Assignment #2: Where Did I Put That File?

The Linux server is really just a big collection of files. You need to understand how those files are organized, and the significance of a file's location. These PDF documents might help:

* "Devices, Linux filesystems, and the Filesystem Hierarchy Standard"

"Learn Linux, 101: File and directory management"

"Quick and Dirty Guide to Linux File Permissions"

and

* "Filesystem"
[*] Registration required
Believe me, I'm not interested in telling them what to do...I'd much rather teach them how to do it, and then step aside and let them make me proud.
 
Old 11-10-2009, 02:02 PM   #9
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,042
Blog Entries: 1

Rep: Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369Reputation: 1369
Hi,

Yes, I did take that into consideration when I posted. Sorry if I offended you but to teach does not always mean to hold their hand nor dictate when/what at this level. Sure it's hard not too but it is better to let them stumble then aid when asked. Rescuing doesn't always lead to the answer either.

I would not setup scenarios, let them do the configurations then steer when necessary. There's bound to be a leader in the team somewhere. You will never know until they are allowed to grow via the failure(s).

It's great to use the old competition as a basis but let that lead them then step in. I've seen this situation too many times in the past with student projects, University competitions can be very trying on both the mentor and student teams. I've had several team leaders that I would not have expected to lead. Average grades, quiet and more of an introvert but when the sessions began things started to kick in for some. While others just went with the flow, some of which I had expect to be leaders never evolved.

Lesson plans for projects are to restrictive.

Teaching them right is too know when to teach. You can prepare all the scenarios you want but if the students don't understand or have other visions then no one will ever know if they just continue to follow your scenario. Yes, providing some insight is wise but let that lead to something else that you may expand when/if necessary.

Stumble, stumble and then help them to learn not to stumble. Not that they are still stumbling but that if they would just walk to the left then possibly they may just stumble differently but it's their stumble. I know you may think my example is absurd but it does have a point.

Parents/teachers can teach all they want to a toddler about walking. But until that toddler actually takes that first step and then when the same toddler takes another step on it's own it will have learned to walk.

If indeed you want the students to learn from the experience then you would be doing them justice by letting their visions develop then proceed from there. Sure, enlighten but let them paint their own picture not yours by the numbers. Exposure is one thing but to follow a recipe is to cook the same thing over and over.

 
Old 11-10-2009, 02:15 PM   #10
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Original Poster
Rep: Reputation: 38
Quote:
If indeed you want the students to learn from the experience then you would be doing them justice by letting their visions develop then proceed from there. Sure, enlighten but let them paint their own picture not yours by the numbers. Exposure is one thing but to follow a recipe is to cook the same thing over and over.
I hear ya!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind server is unable to resolve specific domain bizzaro Linux - Server 4 05-04-2009 08:47 AM
How to bind ip to a specific NIC PcHammer Linux - Networking 7 11-06-2007 08:49 PM
how do i bind a port to a specific nic? rsmccain Linux - Networking 2 04-24-2006 01:36 PM
Bind ETH devices to specific NIC/MAC not_an_expert Slackware 8 10-13-2004 11:00 AM


All times are GMT -5. The time now is 01:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration