I'm probably going to get yelled at for this...

[hellosky]

Due to a lack of resources I have to put my firewall, router, and Active Directory VMs all on one machine. I really wish I had $$$ to separate out at least the firewall/routing part but I just can't do it.

What are some recommendations for securing the box and the VMs? I understand it won't be perfect but I need to get the basics down. Thanks

 

[MavsX]

Step 1: Cut a hole in the box.

 

[Red Squirrel]

Gotta love it, companies that don't want to buy what you need. I know exactly how you feel.

 

[C7J0yc3]

What hypervisor are you running?

As far as securing everything, treat it exactly the same as you would treat a normal network. The only difference would be don't add the hypervisor to the domain, change the admin username and password and make the password completely different then anything else.

 

[hellosky]

VMware ESXi. This isn't for a company, my personal setup. Lol

 

[calvinj]

I would say secure it with Vlans, but then again it's for home.. Is it really that big of a deal? Should we be alerting the Government?

 

[dave99]

I run all my home stuff off 1 machine, including firewall (pfsense) on top of ESXi 4.1. I use 2 pNics, and 2 vswitches in esxi. 1 pnic & 1 vswitch hooked only to the pfsense vm that connects to my dsl modem, 2nd pnic and vswitch connects pfsense to all the other vm's and physical switch.

 

[aaronearles]

Yeah, for home one box is fine, the only thing that sucks is that you lose your internet connection when you do any maintenance on the esxi box.

 

[nessus]

Its a perfectly reasonable way to set things up.

If you have a direct Internet facing connection(s), just make sure the Hypervisor doesn't have any services bound to it(them) and that the Internet facing NIC(s) is/are only connected to a virtual switch dedicated for Internet traffic.

Make sure any VMs connected to your Internet facing virtual switch can't route traffic from your Internal network to the Internet connection without going through NAT/Firewall (I use an Untangle VM to allow Internal network to Internet traffic), and make sure your internal network addressing uses one of the dedicated unroutable IP address spaces.

Doesn't hurt to name your Internet facing connection something alarming like "RAW INTERNET CONNECTION!".

I have a 2k8 R2 Hyper-V box set up this way. The hosting box can only access the Internet by going through the Untangle VM.

1 Untangle VM (internal and external conmnections)
2k8 r2 DC/DHCP/DNS (internal only)
Windows Home server (internal and external connections)
2k8 r2 box Email\Web\FTPS\VPN (internal and external connections)

I have a DIR-655 that I'm mainly just using as a Gigabit switch and a WAP, but I serve out a secondary gateway with my DHCP info, so if my primary box needs to be rebooted for patching, or if I need to take it down for a short while, it doesn't totally disrupt Internet access for the wife. Heaven forbid something should disrupt her access to email!