Announcement

Collapse
No announcement yet.

Win2012 Dedicated Server - One Nic - Multiple VMs - Multiple WAN IP's?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Win2012 Dedicated Server - One Nic - Multiple VMs - Multiple WAN IP's?

    Hi,

    I was wonder whether someone could sense check this for me. I have a friends business who has acquired an internet facing dedicated server. He has asked me to set it up in a IaaS type solution for a directory server, mail server, web server etc.

    As it is completely internet facing which no dedicated hardware firewall in front of it. I have decided to virtualize the setup, which should also offer some increased security.

    The hypervisor itself has a windows firewall enabled and fully closed for incoming connections currently. It has a single public IP currently assigned to it's nic directly, but we have 3 more IPs available.

    Firstly, is the setup I have briefly synopsis-ed on the attached diagram possible with only one NIC in the server?

    Other questions I need answering.

    How do I get the other public IPs through to the VM's? Does the there need to be NAT setup somewhere, and if so where? On the 2012 box or the debian firewall vm?

    Are my usage of vSwitch's correct and their function right? (Internal, External etc)

    Would it be best to give the VM's local private addresses and NAT through or give them WAN ip's and setup some routing?

    Any help would be much appreciated on this.
    Attached Files

  • #2
    Re: Win2012 Dedicated Server - One Nic - Multiple VMs - Multiple WAN IP's?

    Your setup should work fine, and logically speaking, the VMs would be adequately protected behind a firewall VM. However, if I were responsible for managing this setup, there is one issue that would be a cause of great concern to me, and that's the hypervisor itself.

    All the VMs, including the firewall router, run under the same hypervisor. That hypervisor is where all VM management would have to take place, and it's directly connected to the Internet. Consider the following:
    1. You would need to enable RDP on the hypervisor OS (or install third-party software) for any kind of remote management to be possible.
    2. You'll have to rely on the Windows firewall on the hypervisor for protection. I'm not aware of any obvious deficiencies in that firewall, but the point is that you have a single barrier between the Internet and your virtual infrastructure (as the virtual firewall could be compromised through the hypervisor).
    3. Since you would be relying heavily on functionality in the Windows OS on the hypervisor, you would have to make sure it's updated at all times, since an exploit targeting a vulnerability on the hypervisor could be disastrous. That means you would either have to check for updates manually very often and analyze every security report from Microsoft, which could represent a major administrative burden, or you would have to enable automatic updates, which would mean regular reboots and could potentially leave the hypervisor in a broken state should there be a problem with an update (which has been known to happen).
    4. Should an intruder gain access to the hypervisor, either through a security vulnerability or by gaining access through remote management, every system in your IaaS setup would be instantly compromised.
    5. Should an intruder (or a script kiddie) launch a (D)DoS attack against some bug or vulnerability in the hypervisor OS, it could cause the entire IaaS infrastructure to become unavailable or even crash.
    6. Should the person managing the VMs make a mistake by, say, visiting a web site with ads from a compromised ad server while looking for information, the hypervisor could get infected with spyware, viruses, rootkits or trojans. Since the all remote management will have to go through the hypervisor, the risk of this happening is much higher than it would be had the hypervisor been an isolated system behind a separate security barrier.

    I don't think I would be able to sleep all that well at night, knowing that the entire infrastructure of my company depended on there not being any kind of major bug or vulnerability in the RDP server component in Windows Server 2012, or the vswitch code in Hyper-V.

    I would strongly recommend installing a separate hardware firewall in front of the server. That would give you two barriers instead of one, and you also provide some diversity of defence. If you decide to implement the IaaS as per the diagram provided, I would at the very least recommend installing host-based IDS/IPS software and perhaps a third-party firewall on the hypervisor.

    Comment


    • #3
      Re: Win2012 Dedicated Server - One Nic - Multiple VMs - Multiple WAN IP's?

      Thanks for your response. Much appreciated.

      To answer a few of your concerns.

      • Agree on the Windows Firewall front, I will install a third-party firewall in it's place.
      • RDP will not be open to the HyperVisor. In fact I will probably close all ports to the hypervisor itself; I have IP KVM access to the box.
      • No one will be browsing the web from the hyper-visor itself.
      • It will be kept upto date with scheduled weekly updates or where neccesary more frequently.

      Another question for you. So the Hypervisor has one physical nic only, which has a static "internet facing" IP. I have added the 3 other IP addresses that the ISP have provided to the NIC as well (advanced->IP addresses), all have the same subnet mask and gateway.


      How would I present those IP addresses to the VM's, or more likely to the Linux Virtual Firewall to NAT through to the VM's private IP addresses?


      Any help would be beneficial.

      Comment


      • #4
        Re: Win2012 Dedicated Server - One Nic - Multiple VMs - Multiple WAN IP's?

        Originally posted by Spuddy View Post
        Another question for you. So the Hypervisor has one physical nic only, which has a static "internet facing" IP. I have added the 3 other IP addresses that the ISP have provided to the NIC as well (advanced->IP addresses), all have the same subnet mask and gateway.


        How would I present those IP addresses to the VM's, or more likely to the Linux Virtual Firewall to NAT through to the VM's private IP addresses?
        You don't assign any of those IP addresses to the hypervisor itself, but to the virtual NIC of the firewall VM connected to the external bridge (which provides bridged access to the physical network).

        Comment


        • #5
          Re: Win2012 Dedicated Server - One Nic - Multiple VMs - Multiple WAN IP's?

          Originally posted by Ser Olmy View Post
          You don't assign any of those IP addresses to the hypervisor itself, but to the virtual NIC of the firewall VM connected to the external bridge (which provides bridged access to the physical network).
          I understand that. The local physical NIC becomes Hyper-V extensible switch (or similiar?), I have added all four IP's to the external vEthernet nic.

          Should my Virtual Firewall now be able to see those and NAT them through to private addressed VMs?

          Comment


          • #6
            Re: Win2012 Dedicated Server - One Nic - Multiple VMs - Multiple WAN IP's?

            Originally posted by Spuddy View Post
            I understand that. The local physical NIC becomes Hyper-V extensible switch (or similiar?), I have added all four IP's to the external vEthernet nic.

            Should my Virtual Firewall now be able to see those and NAT them through to private addressed VMs?
            I'm a bit confused with regards to the setup of the firewall VM (the one running Debian).

            I was under the impression that a public IP address was assigned to the external NIC of that VM, in which case you should simply add the other IP addresses as well, and have the Linux firewall do NAT and port forwarding as needed.

            Assigning multiple IP addresses to the Windows hypervisor doesn't really make sense as long as there's a separate firewall router involved.

            Comment


            • #7
              Re: Win2012 Dedicated Server - One Nic - Multiple VMs - Multiple WAN IP's?

              Nothing to add apart from you sometimes will use more than 1 IP address for the Hyper-V Host if you wish to have a dedicated Management IP, Live Migration network and/or a Virtual Switch dedicated to Virtual Machines only.

              Comment


              • #8
                Re: Win2012 Dedicated Server - One Nic - Multiple VMs - Multiple WAN IP's?

                Originally posted by Spuddy View Post
                I understand that. The local physical NIC becomes Hyper-V extensible switch (or similiar?), I have added all four IP's to the external vEthernet nic.

                Should my Virtual Firewall now be able to see those and NAT them through to private addressed VMs?
                I think you're slightly confused on the vSwitch. When creating the External vSwitch, the physical NIC becomes the link to the physical network and is no longer available to the parent partition for layer 3. If you choose to use the NIC for the parent partition, it will install vNIC on the parent that is also connected to the vSwitch. So when you assign the IP addresses to the Parent's NIC, you're assign it to NIC that is connected to the same vSwitch as any VM's that are connected to the vSwtich.

                So, since the External vSwitch is connected the physical network via the physical NIC, any VM connected to the vSwitch has a direct connection to the physical network. If there are certain IP addresses you want to use on VM's you would assign them directly on the VM's NIC within the VM's OS.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment

                Working...
                X