Hello,

thank you for your patience for trying to let me see the light.

Indeed I don't understand what you are explaining. Maybe if I give you more concrete details it will help.

My internal network is 192.168.196.0
My DMZ network is 192.168.188.0

ovirt-engine is running on a centos server with IP 192.168.186.3
ovirt host is on a centos server with IP 192.168.186.4

On the host I created a VM that I want to be in the DMZ. When I created the VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
In the VM nic1 becomes eth0 and was assigned an IP address with DHCP 192.168.186.167.

After that I added a host device to that VM using passthrough. This device is called ens7 in the VM and I gave IP 192.186.188.4.
That device is directly connected to my physical DMZ switch and from there to the firewall.
This part is OK.

My problem is that through eth0 my VM has access to my internal network.
Removing the device seems impossible because this is ovirtmgmt network.
I can not change or remove the IP of my host because it would not be reachable anymore on my internal network.

Maybe the solution is obvious but I can't see it. I'm running in circle with this problem and it makes me crazy.

Again than you for your help.

Istvan


On Fri, Oct 27, 2017 at 7:22 PM, Luca 'remix_tj' Lorenzetto <lorenzetto.luca@gmail.com> wrote:
Sorry,

But you didn't understood well what i've said.

If your host has no ip addresses on that network, you're not encountering any risk because you've no access to that network at layer 3.

Removing ovirtmgmt is not possibile, that network is mandatory.

Luca


Il 27 ott 2017 1:36 PM, "Istvan Buki" <buki.istvan@gmail.com> ha scritto:
Hello,

I totally agree on the First part: IP set only on the VM. 

For the ovirtmgmt access, if I understand correctly, I have to choose between sécurity and ease of management of my VM but I can not have both. 

Istvan 


Le 26 oct. 2017 6:41 PM, "Luca 'remix_tj' Lorenzetto" <lorenzetto.luca@gmail.com> a écrit :
Hello, 

On the dmz Network you don't need any address configured on the host. 

You set ip address only on the vm. If the vm gets compromised, its access is limited only to DMZ Network.

 There is no way for the attacker to gain access to ovirtmgmt if vm is not configured to use it.

Luca

Il 26 ott 2017 6:32 PM, "Istvan Buki" <buki.istvan@gmail.com> ha scritto:
Hello ovirt experts,

I'm totally new to ovirt and trying to learn as fast as I can.So, please bear with me and my possibly stupid questions.
Sorry if my questions have been answered already, but please point me to the place where I can find the answers.

I've setup ovirt 4.1.6 and created a first VM that I want to expose in a DMZ.
I attached a dedicated NIC to the VM using passthrough which is connected to the DMZ network. This is all working as expected.

Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in case the security of the VM is compromised and someone get unautorized access to it I do not want the attacker to have access to my internal network through the ovirtmgmt interface.

The most secure solution would be to remove that ovirtmgmt interface but then I loose management functionalities.
Can you suggest the possible solutions to protect the ovirtmgmt network from unwanted access?

Thanks for your answers

Istvan



_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users