Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 51
Reply with quote  #1 

Hi folks,

I am setting up a HyperV server and have to implement a configuration that I have not previously had to do. Our "security office", has indicated that each physical NIC will be on it's own secured vlan with a management vlan for the host server then each physical NIC will be for each guest on a 1 to 1 basis.

Our security office gave me IP's to use for the host and a guest OSes. He wants the guest and the physical adapter to use the same IP address.

In my limited HyperV experience, I've just had the host and guests all use the same physical adapter but they all had different IPs.

If this is at all clear, will each physical adapter need a different IP than the IP of guest that it will be assigned to?

Regards,
Michael

0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 810
Reply with quote  #2 
You can set a NIC up as a management NIC, there is a tick box for this on the network configuration to allow or disable this.

How many NICS have you?
Generally I'd use at least 1 NIC for management only.
Then up to 4 more different NICS for guests.

Then, if you had 8 (2x quad port) a second NIC for managemental only, giving 6 for guests.

Now if I understand the next bit.
You want management NIC on port 1 192.168.10.0/24 (vlan set on the switch)
You want the NIC Port 2 to have 10.10.0.5 and also the guest mapped to that same IP. That won't work.
You want the NIC Port 2 to have 10.10.0.5 and also the guest mapped to 10.q0.0.5 with the Guest NIC tagged onto the Guest Vlan. While doable is so much like work for the sake of work and documentation nightmare, let alone trouble shooting.
You could give it another IP above or below (10.10.0.4 or .6) but why waste a usable IP as well as add the host traffic.
I'd put thr NICS onto a different IP Range (172.16.255.0/24)
Or you could leave the NIC blank and let it pick an APIPA Adress (see how the security peoplelike thatidea)

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
dennis-360ict

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 55
Reply with quote  #3 
Without hoping to offend you: I think there is some mismatch between the security department and the concept of os virtualization. Virtualization has been herre for a long time and is being used in the largest (public) clouds and its a proven technology, even security wise. I think i can read between the lines they are concerned for possible scenarios that if they would happen, amazon/azure would not be able todo virtualization. so I would suggest the security people get educated on the subject (could be just an online course) and get to learn how the concept securitywise else you are expected to do sone weird configs and that will make you job a lot harder.

As i said, i hope i dont offend anyone here, which can happen very easilily online, just trying to help.

__________________
-----
Home is where is sleep
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 152
Reply with quote  #4 
Quote:
Originally Posted by Michael Pietrzak
He wants the guest and the physical adapter to use the same IP address.

I'm with Joe (wobble_wobble).
You can configure one (or multiple teamed) NIC('s) as the Management NIC for the host.
And for every other adapter create a virtual switch and connect one VM on that switch, 1 to 1 basis.
Do not let the host use that same adapter (it's default, something like "allow management os to share this adapter"=disabled). So the host won't even have the TCP/IP bind to that adapter. You can't be more secure than that!
The guest can have the ip address, the host don't need it.
And remember: simplicity is a cornerstone for security.

__________________
Pieter Demeulemeester
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 51
Reply with quote  #5 
Dennis,

You hit it exactly on the head. Security office really has no clue and through their policies, they are making everyone's life difficult.

My HyperV server has two guest servers on. One holds patient data, and other does not.

I have THREE different networks for assignment, one vlan for the host, a different vlan for a server that has patient data on it. And a third vlan for a guest that does not.

Anyways, we have to work within this box so that I what I have to deal with.
Quote:
Originally Posted by dennis-360ict
Without hoping to offend you: I think there is some mismatch between the security department and the concept of os virtualization. Virtualization has been herre for a long time and is being used in the largest (public) clouds and its a proven technology, even security wise. I think i can read between the lines they are concerned for possible scenarios that if they would happen, amazon/azure would not be able todo virtualization. so I would suggest the security people get educated on the subject (could be just an online course) and get to learn how the concept securitywise else you are expected to do sone weird configs and that will make you job a lot harder. As i said, i hope i dont offend anyone here, which can happen very easilily online, just trying to help.
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 51
Reply with quote  #6 
Quote:
Originally Posted by wobble_wobble
You want the NIC Port 2 to have 10.10.0.5 and also the guest mapped to that same IP. That won't work. You want the NIC Port 2 to have 10.10.0.5 and also the guest mapped to 10.q0.0.5 with the Guest NIC tagged onto the Guest Vlan. While doable is so much like work for the sake of work and documentation nightmare, let alone trouble shooting.


[frown] Yeah, your first one is what they wanted us to do. I have worked with Hyper V for a number of years now and I've never been required to to implement such a design. My implementations have been very small scale with host and guests using the same physical NIC but everyone had their own assigned IP's.

Can you elaborate on this

"You want the NIC Port 2 to have 10.10.0.5 and also the guest mapped to 10.q0.0.5 with the Guest NIC tagged onto the Guest Vlan. While doable is so much like work for the sake of work and documentation nightmare, let alone trouble shooting"


0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 810
Reply with quote  #7 
As you can set a vlan on a VM NIC you could set the same IP on both the physical NIC with the guest on a different vlan but same IP.
Your problems are
Engineer come along and tries to troubleshoot an issue. He sees IP 10.10.0.5 on both server NIC and guest NIC but you can't see vlan config grip IP CONFIG so changes an IP.
You now have a new more complex issue.
And that's only issue 1 that comes to mind.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 228
Reply with quote  #8 
Well, the question here might be, why does a pNIC that servers no other purpose than an uplink to a vSwitch need an IP address in the first place?
__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 810
Reply with quote  #9 
Quote:
Originally Posted by cj_berlin
Well, the question here might be, why does a pNIC that servers no other purpose than an uplink to a vSwitch need an IP address in the first place?


To pacify a jobsworth

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 228
Reply with quote  #10 
Quote:
Originally Posted by wobble_wobble
To pacify a jobsworth

Wouldn't it pacify her more if she knew that the pNIC doesn't carry an address at all?

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 810
Reply with quote  #11 
Short answer - no.

Long answer and by no means complete.
A. They didn't give you the IP, therefore it wrong.
B. If it has no address, then how can I monitor it.
C. If it has an unknown address (and one that changes, APIPA can change every 56 hours) then maybe a cracker could pawn it.
D. If it's not in my checklist then it's wrong.

Some of these are reasons known to the security office.
Some are like recipes for brown bread, passed on for ages but the reason why is no longer remembered.

Some of the concerns are valid.
Some are pointless paper pushing.
And until the security people audit the IT solutions with encrypted scripts, frequently and agressively, then in reality the security audits are already flawed.

But that brings with it, it's own flaws and potential disasters, unless the solution design supports chaos engineering, which brings other issues.

And we're back at...let's give the host nic and the guest NIC the same IP but on different VLans....cause that'll make security life easier

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 51
Reply with quote  #12 
So our person in our campus security office is going firewall crazy with all physical nics on separate vlans and "security zones".

He gave me an IP for the host server (on one vlan), another IP (different vlan) for the medical server (guest1), and another IP (yet another vlan) for a tertiary server (guest2).

He also gave me a set of IP's on the same three vlans for a testing server. So my next test was for the server that has the med data (guest1), I gave one IP to the physical nic (192.168.0.1) and the next IP (192.168.0.2) to the HyperV guest (guest1). (same subnet and gateway)

I still could not get traffic into or out of the HyperV guest (guest1). Can he firewall a physical interface to the point that it will kill the traffic on the virtual NIC that the guest is setup to use via the virtual switch interface?

He must have thought (and I didn't even think twice about it), that the guest servers use the physical NICS and share the IPs.  
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 810
Reply with quote  #13 
The traffic on a virtual host (VMWARE or Hyper-V) is firstly located inside the 'host'.
So a physical firewall is pointless if you want to isolate guest to host.
There are isolation technologies in vSphere 6.5 and Server 2016 but these are more complex and involve a lot more technology.

So before going down the road of a massive spend to the business, sit and talk with the security office/ officer. Ask them what they
Want to achieve?
How they want to achieve it?
Why they want to do it?
Where the budget for the changes will come from?

Then go over the problems, desired outcomes, the available budget and then the prefered solution.

If your a small shop with limited overall IT spend the security people need to cough up for the required budget OR they need to fight the business for increased budget to do a, b and c.

It's not our job to spend our resources on wants and desires of a small (but vocal) office to the overall detriment of our core business. They need to be seen as the good and the bad boys as much as us!

My 20 cents worth.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 228
Reply with quote  #14 
Quote:
Originally Posted by wobble_wobble
Short answer - no.

Joe,

the question was rhetorical. But as we all know, it is simply not possible to assign an IP to a pNIC which is bound to a vSwitch, be it in VMware or Hyper-V. So instead of trying to somehow fulfill the requirement (which is bound to backfire one way or another) we will have to try to educate the security officer. I've been there many times. An analogy they (sort of) tend to understand is a NIC port being simply a switch port of yet another switch. It is easier in VMware because they have this graphical representation where you have to use VMKernel networking on a vSwitch to manage the host. But you can demonstrate it on Hyper-V as well, even if it isn't as graphic.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Michael Pietrzak

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 51
Reply with quote  #15 
Wow, thank you everyone for all the great info! I am reading up on HyperV networking now....

My boss and I have a meeting with the security officer next week.

My final question is, if you don't mind...

What can you do "upstream" so to speak that would allow traffic on the pNic but deny traffic originating from the source guest that is configured to use a virtual switch bound to that pNic?

Is he firewalling the pNIC in some fashion?
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.