I want my global zone to have no internet connection. I only surf from local zones, where I have installed Windows into VirtualBox. So, each local zone is connected to a virtual switch? And that switch is connected to the global zone''s NIC? This sounds weird? Is this really correct config? Or should I connect the virtual switch to a zone that acts as a router? Or, should all zones be directly connected to the global zone''s NIC with no virtual switch? -- This message posted from opensolaris.org
On 09/27/10 03:55 AM, Orvar Korvar wrote:> I want my global zone to have no internet connection. I only surf from local zones, where I have installed Windows into VirtualBox. > > So, each local zone is connected to a virtual switch? And that switch is connected to the global zone''s NIC? This sounds weird? Is this really correct config?That''s a common scenario, you would create a VNIC on the physical NIC for each zone, and assign the VNICs to the zones.> > Or should I connect the virtual switch to a zone that acts as a router?This could be useful if you want to isolate your zones in their own private virtual network. In this case one of the zones on your machine would be acting as a router/NAT between the private network and the external network.> > Or, should all zones be directly connected to the global zone''s NIC with no virtual switch?To do that would require the zones to share the same IP stack (shared IP), which wouldn''t work well with your use case. Nicolas. -- Nicolas Droux - Solaris Core OS Engineering - Oracle nicolas.droux at oracle.com
>> Or, should all zones be directly connected to the global zone''s NIC with no virtual switch? >To do that would require the zones to share the same IP stack (shared >IP), which wouldn''t work well with your use case.Ok, so in my case where I surf from local zones, I should create a virtual switch and connect all virtual nics to the vswitch? Each zone has a vnic, and all them are connected to the vswitch? It is not good to connect each vnic directly to the e1000g0 interface, I should connect them to a vswitch? Is this correctly understood? Regarding a router, that would be useful if I want the zones to have their own private virtual networks? What does that mean? If I want to use a web server in one zone, clients in other, do some development (in Java of course) then I do not need several private virtual networks, right? One vswitch suffices for this scenario, right? Several private networks are not needed in this scenario, right? -- This message posted from opensolaris.org
On 09/27/10 02:45 PM, Orvar Korvar wrote:>>> Or, should all zones be directly connected to the global zone''s NIC with no virtual switch? >> To do that would require the zones to share the same IP stack (shared >> IP), which wouldn''t work well with your use case. > > Ok, so in my case where I surf from local zones, I should create a virtual switch and connect all virtual nics to the vswitch? Each zone has a vnic, and all them are connected to the vswitch? > > It is not good to connect each vnic directly to the e1000g0 interface, I should connect them to a vswitch?With Crossbow as soon as you create the VNICs on top of e1000g0, internally we create a virtual switch that allows these VNICs to communicate with each other. You can do this simply with # dladm create-vnic -l e1000g0 vnic0 # dladm create-vnic -l e1000g0 vnic1 ... and then assign these VNICs to the zones, that''s it.> > Is this correctly understood? > > > Regarding a router, that would be useful if I want the zones to have their own private virtual networks? What does that mean? If I want to use a web server in one zone, clients in other, do some development (in Java of course) then I do not need several private virtual networks, right? One vswitch suffices for this scenario, right? Several private networks are not needed in this scenario, right?If you are only interested into proving each zone access to the shared e1000g0 NIC, then creating the VNICs on top of e1000g0, as done above, should be fine. There are some cases where that is not possible, for example because only one IP address is assigned to the underlying NIC, or maybe because for security reasons someone wants to keep the network used by the zones private. In this case one can create a private network using a separate virtual switch which is completely independent from the physical network, and use one of the zones to do NAT/routing/firewalling between the physical network and the private network. Our LISA''09 paper on vWire goes into some of these scenarios and how you can combine virtual NICs, virtual switches, and other Solaris features to build virtual networks. Nicolas. -- Nicolas Droux - Solaris Core OS Engineering - Oracle nicolas.droux at oracle.com
Ok. Good answers. To increase security I shut down the global zone''s access to Internet, and only allow internet access from local zones, like this: I will make a few vnics, and the vswitch will automatically be created. I will assign each vnic to a local zone. In the local zone I have installed VirtualBox virtual machines and surf from within Windows/Linux/whatever. I will shut down the NIC on the global zone with "ifconfig down e1000g0" or whatever syntax (I need to check the syntax how to shut down the NIC). This shutdown of the global NIC, will not affect the local zone vnics, they will continue to work. The only way to reach internet, will be from a local zone. When I need to upgrade / patch my installation of build 134, I just turn on the Global NIC again: "ifconfig up e1000g0" or whatever syntax (I need to check the syntax). And patch and upgrade, and then shutdown the global NIC again. This means a hacker must breach Windows/Linux, then breach VirtualBox, then breach the local zone, then breach my global zone (which should be very difficult because the NIC on the global zone is shutdown so the local zone can not reach the global zone) and then finally try to get root access to the global zone. This I hope, will give increased security. 1) Should my outlined plan work as I intend? 2) Did I miss anything? I will now start to promote and talk about Crossbow. I have downloaded your paper and will read it. Thank you. :o) (I will, in addition, also install some Solaris zones that runs web servers etc using vnics and I will also do some development and testing) -- This message posted from opensolaris.org
I forgot to tell, I use SunRays. It should not change anything? My plan works as intended whether there are SunRays involved or not? Do you know? -- This message posted from opensolaris.org
Orvar Korvar wrote:> Ok. Good answers. > > To increase security I shut down the global zone''s access to Internet, and only allow internet access from local zones, like this: > > I will make a few vnics, and the vswitch will automatically be created. I will assign each vnic to a local zone. In the local zone I have installed VirtualBox virtual machines and surf from within Windows/Linux/whatever. > >just understand that the vswitch will not be visible to any administrative commands and will internally pass traffic from the global zone to the local zone.> I will shut down the NIC on the global zone with "ifconfig down e1000g0" or whatever syntax (I need to check the syntax how to shut down the NIC). This shutdown of the global NIC, will not affect the local zone vnics, they will continue to work. > >#ifconfig e1000g0 down #ifconfig e1000g0 unplumb> The only way to reach internet, will be from a local zone. When I need to upgrade / patch my installation of build 134, I just turn on the Global NIC again: "ifconfig up e1000g0" or whatever syntax (I need to check the syntax). And patch and upgrade, and then shutdown the global NIC again. > >#ifconfig e1000g0 plumb #ifconfig e1000g0 10.0.1.20/24 up> This means a hacker must breach Windows/Linux, then breach VirtualBox, then breach the local zone, then breach my global zone (which should be very difficult because the NIC on the global zone is shutdown so the local zone can not reach the global zone) and then finally try to get root access to the global zone. This I hope, will give increased security. > > 1) Should my outlined plan work as I intend? > 2) Did I miss anything? >that looks ok for the networking config.> I will now start to promote and talk about Crossbow. I have downloaded your paper and will read it. Thank you. :o) > > (I will, in addition, also install some Solaris zones that runs web servers etc using vnics and I will also do some development and testing) >good luck... -mike