[ovirt-users] ovirtmgmt network security
Istvan Buki
buki.istvan at gmail.com
Mon Oct 30 07:45:22 UTC 2017
Hello,
thank you for your patience for trying to let me see the light.
Indeed I don't understand what you are explaining. Maybe if I give you more
concrete details it will help.
My internal network is 192.168.196.0
My DMZ network is 192.168.188.0
ovirt-engine is running on a centos server with IP 192.168.186.3
ovirt host is on a centos server with IP 192.168.186.4
On the host I created a VM that I want to be in the DMZ. When I created the
VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
192.168.186.167.
After that I added a host device to that VM using passthrough. This device
is called ens7 in the VM and I gave IP 192.186.188.4.
That device is directly connected to my physical DMZ switch and from there
to the firewall.
This part is OK.
My problem is that through eth0 my VM has access to my internal network.
Removing the device seems impossible because this is ovirtmgmt network.
I can not change or remove the IP of my host because it would not be
reachable anymore on my internal network.
Maybe the solution is obvious but I can't see it. I'm running in circle
with this problem and it makes me crazy.
Again than you for your help.
Istvan
On Fri, Oct 27, 2017 at 7:22 PM, Luca 'remix_tj' Lorenzetto <
lorenzetto.luca at gmail.com> wrote:
> Sorry,
>
> But you didn't understood well what i've said.
>
> If your host has no ip addresses on that network, you're not encountering
> any risk because you've no access to that network at layer 3.
>
> Removing ovirtmgmt is not possibile, that network is mandatory.
>
> Luca
>
>
> Il 27 ott 2017 1:36 PM, "Istvan Buki" <buki.istvan at gmail.com> ha scritto:
>
> Hello,
>
> I totally agree on the First part: IP set only on the VM.
>
> For the ovirtmgmt access, if I understand correctly, I have to choose
> between sécurity and ease of management of my VM but I can not have both.
>
> Istvan
>
>
> Le 26 oct. 2017 6:41 PM, "Luca 'remix_tj' Lorenzetto" <
> lorenzetto.luca at gmail.com> a écrit :
>
> Hello,
>
> On the dmz Network you don't need any address configured on the host.
>
> You set ip address only on the vm. If the vm gets compromised, its access
> is limited only to DMZ Network.
>
> There is no way for the attacker to gain access to ovirtmgmt if vm is not
> configured to use it.
>
> Luca
>
> Il 26 ott 2017 6:32 PM, "Istvan Buki" <buki.istvan at gmail.com> ha scritto:
>
>> Hello ovirt experts,
>>
>> I'm totally new to ovirt and trying to learn as fast as I can.So, please
>> bear with me and my possibly stupid questions.
>> Sorry if my questions have been answered already, but please point me to
>> the place where I can find the answers.
>>
>> I've setup ovirt 4.1.6 and created a first VM that I want to expose in a
>> DMZ.
>> I attached a dedicated NIC to the VM using passthrough which is connected
>> to the DMZ network. This is all working as expected.
>>
>> Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in
>> case the security of the VM is compromised and someone get unautorized
>> access to it I do not want the attacker to have access to my internal
>> network through the ovirtmgmt interface.
>>
>> The most secure solution would be to remove that ovirtmgmt interface but
>> then I loose management functionalities.
>> Can you suggest the possible solutions to protect the ovirtmgmt network
>> from unwanted access?
>>
>> Thanks for your answers
>>
>> Istvan
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20171030/52dbadd9/attachment.html>
More information about the Users
mailing list