Hyper-V - how secure / separate are the NIC's from the main OS?

Discussion in 'Virtualized Computing' started by MrGuvernment, Jul 2, 2017.

  1. MrGuvernment

    MrGuvernment Pick your own.....you deserve it.

    Messages:
    19,463
    Joined:
    Aug 3, 2004
    Currently I am running Hyper-V via Windows 10 Pro.

    I wasn't able to do ESXi due to GPU pass through being too flaky so I just did an install of Windows 10 and using Hyper-V for my home lab.

    My question is, I run a separate physical PFsense firewall but i would love to run it all from my home lab box and cut back on another device. (server grade hardware including the NIC's)

    My concern is, how separate / secure are NIC's when they are assigned to be used in Hyper-V from the Core OS?

    Extreme example here, if my Windows 10 for some reason got compromised and I was too blind to notice, could someone "access" the Hyper-V nics to sniff traffic going to the VM's?

    I know when you install Hyper-V on Windows it really goes into the OS...
     
  2. Eulogy

    Eulogy 2[H]4U

    Messages:
    2,158
    Joined:
    Nov 9, 2005
    If someone compromises your hypervisor, yes, they'll have access to pretty much everything virtualized.
     
    Xinmosni likes this.
  3. Agromahdi123

    Agromahdi123 Gawd

    Messages:
    599
    Joined:
    Jul 22, 2005
    yea most setups i see that are security concerned use sep firewall
     
  4. MrGuvernment

    MrGuvernment Pick your own.....you deserve it.

    Messages:
    19,463
    Joined:
    Aug 3, 2004
    Was kind of my thought, is you are essentially exposing Windows 10 to the internet directly and relying on Windows Firewall to protect you and then the Hyper-V layer.
     
  5. Eulogy

    Eulogy 2[H]4U

    Messages:
    2,158
    Joined:
    Nov 9, 2005
    Well, no. Now you're kind of diverging from your original question a tad. If you pass through hardware to a guest VM, that does limit your exposure a little bit.
    Internet in ---> physical NIC --> passthrough pNIC to pFsense ("WAN" NIC) --> virtual NIC ("LAN" NIC) --> different pNIC out to LAN

    You're still exposed a bit, but less. Not that ESXi is impervious to attacks, but it's certainly more secure. pFsense doesn't need much hardware though, no need to be running like a Xeon or anything like that...
     
  6. MrGuvernment

    MrGuvernment Pick your own.....you deserve it.

    Messages:
    19,463
    Joined:
    Aug 3, 2004

    Problem is Hyper-V on windows 10 does not support hardware pass through of anything like NIC's, only GPU's for RemoteFX. It appears all of the powershell commands are there, but they do not work and give errors :(
     
  7. Eulogy

    Eulogy 2[H]4U

    Messages:
    2,158
    Joined:
    Nov 9, 2005
    Ah. That'd be a non-starter for me then. Way too many attack vectors for my taste. Good luck!
     
  8. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    1,575
    Joined:
    Nov 16, 2009
    So you virtualize the adapter and disable host access... Then only the VMs attached to the vNIC will be able to use it. If it's the WAN port, only add to pfsense. Plenty of people virtualize pfsense on hyperV doing just that, myself included. But that's also on a dedicated server, it would be pretty dumb to use your daily machine as a VM host for mission critical stuff like that.
     
  9. Eulogy

    Eulogy 2[H]4U

    Messages:
    2,158
    Joined:
    Nov 9, 2005
    Right. We do that in ESXi all the time as well. From the way the OP sounds though, this is on his personal machine, so he'd at least have to invest in a NIC to do this, if I had to guess (preferrably a 2 port, so he can have WAN on one, LAN on the other to a switch). As-is though, I don't think OP can do what is asked without compromise.
     
  10. MrGuvernment

    MrGuvernment Pick your own.....you deserve it.

    Messages:
    19,463
    Joined:
    Aug 3, 2004
    That was why my main question was how separate is the Hyper-V driver layer from Windows it's self since this is my daily driver. As I had heard that Hyper-V loads before the main OS it could technically be isolated from the Windows 10 enough. Really this is just about me getting rid of another box to have and converging into less gear.

    I do have plenty of NICs, I have 3 Qlogic Dual port nic's in this plus 2 integrated on the mobo.

    So really at this point then the main concern is not so much running PFsense with in Hyper-V an that host being on then internet directly, but more so because this is my daily driver, if i did in fact get infected with in Windows 10, that would then expose everything. Just to not, I would not be considering something like this for a work environment or any production gear, this is 110% my home system and lab.

    But on that note, since this is soley a home lab and nothing critical or anything, if my Windows 10 gets infected anyways, it would get wiped and redone (knock on wood I have not been infected or hacked since back in the Windows 2000 days when some french hacker got into my computer)

    I really wish ESXi 6.5 wasn't a flake-tastic piece of crap with GPU pass through and even Server grade NICs these days because then my original plan would of been in play and having my Main rig as a VM with pass through.