FreeNas as virtual machine ok?

Spooter · 28 Feb 2010 at 20:35

Hi all,

Im use ubuntu 8.04 with Virtualbox and then use virtual ubuntu server installations for various applications/purposes and use snapshoting to another machine as my backup.

Can anyone see an issue using freeNas as a virtual machine to share files?

tntcoder · 28 Feb 2010 at 20:52

Nope, it's a good way of managing things and offers increased security

craptakular · 2 Mar 2010 at 19:18

tntcoder said:
Nope, it's a good way of managing things and offers increased security

Out of curiosity how does it offer greater security?

tntcoder · 2 Mar 2010 at 19:43

Oxy said:
Out of curiosity how does it offer greater security?

Well, from a high level perspective you can snapshot your system easily. This means that if someone screws with the system you can just revert it in seconds. Some people set up a cluster of VM's and have them revert automatically every few minutes, so even if they get hacked it doesnt matter and the systems can stay online preserving availability and integrity.

Also, principle of seperation. If you are running a mail server, web server and a file server all on one physical box if you divide them out into individual VM's then you dont have a single point of attack. It's 'near' impossible to attack another VM or the host system if you root one of the VM's running on the same physical box, each VM has its own unique memory/disk/resources and cant touch anything outside of them.

Bit OTT for the home enviorment sure

but running each of your critical services inside a dedicated VM makes security much more managble.

craptakular · 2 Mar 2010 at 20:21

oh cool. Can it be done without a gui?

tntcoder · 2 Mar 2010 at 20:43

Oxy said:
oh cool. Can it be done without a gui?

Administration can be yes, VMWare, Virtualbox and Qemu all have vast command line admin options.

VMWare ESX & Server options also allow configuration & admin from a web browser I think, but I haven't got much experience with them.

JonJ678 · 2 Mar 2010 at 22:07

What do you mean by rooting the virtual machine? If you just mean gaining root access, then id have thought it would be entirely possible to compromise another machine from this starting point. They share a network connection and often some directories, how would one secure this arrangement?

tntcoder · 2 Mar 2010 at 22:35

JonJ678 said:
What do you mean by rooting the virtual machine? If you just mean gaining root access, then id have thought it would be entirely possible to compromise another machine from this starting point. They share a network connection and often some directories, how would one secure this arrangement?

Sure correct, as you increase shared resources between VM's you increase the risk of compromise. Once this level of resource sharing occurs you are removing some of the security features that virtual machines offer you and almost face the same problems of physical machines in a LAN environment.

By rooting, I just meant if you have root access to a well-isolated VM then you cannot compromise the host OS or other VMs on the system from that point, i.e hacking the hypervisor is not gonna happen. I think you can stick to well-isolated VM's though if you design your setup correctly and reduce the risks. For example, using only using Guest->Host networking so VM's can't inter-network or if you need to share files, make them read only.

JonJ678 · 3 Mar 2010 at 02:28

This makes sense. For some reason I assumed that compromising the host from within a virtual machine wouldn't be any great challenge for someone more knowledgeable than myself. Would the following layout be reasonably secure then:

Host: Debian stable, running just enough software to run virtualbox

IPCOP/other firewall OS running in a virtual machine, external interface connected to IPCOP directly and ignored by host. Host accesses external network solely through ipcop.

Large number of other virtual machines, none of them networked to the ipcop machine, but all networked to the host (and possibly directly to each other), on a different interface to the one ipcop is providing data to.

I don't know how to set this up, but it would be interesting learning how to. In particular I don't know if it's possible to bind a physical ethernet port to a virtual machine in such a way that the host ignores all data passing through it. Replacing the ipcop machine with a router OS and networking everything directly to that might also be worthwhile. Interested if you have any thoughts on this.

tntcoder · 3 Mar 2010 at 13:00

Yer that kind of setup sounds nice, ive done a similar thing using pfsense and you definitely learn a lot setting it all up. Debian makes a good solid choice for the host OS.

You can do various kinds of Ethernet adapter sharing with guest OS's, in XEN for example you can give the physical adapter to the guest OS for its sole use.

In VirtualBox, ive used a USB NIC and it worked perfectly with that, as the usb device is just binded to the VM exclusively and other guests & host can go through that. However with physical adapters it has various modes of 'bridged networking' you can use to limit the flow of data, you can physically connect a NIC to a guest, but I think it still has to stay up in the host OS.