[ovirt-users] ovirtmgmt network security

Luca 'remix_tj' Lorenzetto lorenzetto.luca at gmail.com
Fri Oct 27 17:22:39 UTC 2017


Sorry,

But you didn't understood well what i've said.

If your host has no ip addresses on that network, you're not encountering
any risk because you've no access to that network at layer 3.

Removing ovirtmgmt is not possibile, that network is mandatory.

Luca


Il 27 ott 2017 1:36 PM, "Istvan Buki" <buki.istvan at gmail.com> ha scritto:

Hello,

I totally agree on the First part: IP set only on the VM.

For the ovirtmgmt access, if I understand correctly, I have to choose
between sécurity and ease of management of my VM but I can not have both.

Istvan


Le 26 oct. 2017 6:41 PM, "Luca 'remix_tj' Lorenzetto" <
lorenzetto.luca at gmail.com> a écrit :

Hello,

On the dmz Network you don't need any address configured on the host.

You set ip address only on the vm. If the vm gets compromised, its access
is limited only to DMZ Network.

 There is no way for the attacker to gain access to ovirtmgmt if vm is not
configured to use it.

Luca

Il 26 ott 2017 6:32 PM, "Istvan Buki" <buki.istvan at gmail.com> ha scritto:

> Hello ovirt experts,
>
> I'm totally new to ovirt and trying to learn as fast as I can.So, please
> bear with me and my possibly stupid questions.
> Sorry if my questions have been answered already, but please point me to
> the place where I can find the answers.
>
> I've setup ovirt 4.1.6 and created a first VM that I want to expose in a
> DMZ.
> I attached a dedicated NIC to the VM using passthrough which is connected
> to the DMZ network. This is all working as expected.
>
> Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in
> case the security of the VM is compromised and someone get unautorized
> access to it I do not want the attacker to have access to my internal
> network through the ovirtmgmt interface.
>
> The most secure solution would be to remove that ovirtmgmt interface but
> then I loose management functionalities.
> Can you suggest the possible solutions to protect the ovirtmgmt network
> from unwanted access?
>
> Thanks for your answers
>
> Istvan
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20171027/8bcbd7f9/attachment.html>


More information about the Users mailing list