# Virtualization options for hardened-gentoo

## mark_lagace

I'm not sure whether to post this under Networking/Security or Kernel/Hardware so if I've posted in the wrong forum please forgive me. Since my question is more related to the security aspect I thought this would be a better place.

In essence, I'm trying to determine the most secure setup for a home server that will be providing the following services:

1. Router/gateway/firewall to share a single aDSL connection amongst 3 home computers (1 wireless laptop, 2 wired desktops)

2. File server (samba) for providing access to shared files among the home computers and a centralized spot for making backups.

3. E-mail server (currently running Postfix, Dovecot, and some spam fighting tools e.g. spamassassin). This is both sending and receiving e-mail for local users (i.e. in my home) and some remote users. These are mostly family members that I'm providing e-mail addresses for - it's not a commercial setup or very high load.

4. Web server - not currently set up, but on my list of things to do to share some photos of the kids with family etc.

At the moment, this is all running on a single box that is installed with the "hardened" profile, though to be honest I haven't taken advantage of the ACL components of the kernel and toolchain. I am using the PaX and PIE and those goodies though. Given that the hardware is going through a slow sputtering death (don't ask!) and that I'm taking some time over the holidays to build a new system, I've been looking into reinstalling from scratch and trying to think through the security aspects a bit more thoroughly than I have to date.

I've started looking into options for virtualization, to better separate out the 4 key services that my current server is providing. The most obvious reason for this is to better separate the internal file share from the external network accessible services (mail/web). Unfortunately, it seems that there are/may be issues with setting up virtual servers on a box that is using the hardened toolchain and kernel. Does anyone have any experience with this? The new box is running on an Intel Atom 330 processor, so I don't have the AMD-V / Intel VT processor extension required for several of the virtual server software packages out there.

Any help and/or advice would be appreciated.

EDIT: One corollary question: Would it be more secure to run multiple virtual servers (presumably able to run "hardened") where the host is not using the hardened toolchain/kernel or a single server providing all of those services but running hardened-gentoo (i.e. as it is currently)?

----------

## cach0rr0

 *mark_lagace wrote:*   

> 
> 
> EDIT: One corollary question: Would it be more secure to run multiple virtual servers (presumably able to run "hardened") where the host is not using the hardened toolchain/kernel or a single server providing all of those services but running hardened-gentoo (i.e. as it is currently)?

 

without vmx/svm the options are, as you're aware, somewhat limited 

would otherwise suggest KVM without any of the graphical stuff

failing that you're precluded to things like qemu, vmware-server, virtualbox

In all of the above in order to get them fully functional, you have to lighten PaX restrictions - something I'm not fully comfortable with to be honest. 

So your last thought would be the route I'd go honestly. Standard gentoo install as the host, any virtualization platform you like from there, but run hardened guests. 

That assumes you can adequately segregate the host OS from the guests on a network level, as well assumes the outside world's access to the host OS will be virtually nil. 

NB: I am in the same exact boat, and asked the same exact question (actually...damn near the exact title!) a while back. This was the result of my thread - https://forums.gentoo.org/viewtopic-t-785096-highlight-virtualization+hardened.html - basically, that KVM could work without X, and therefore not as huge a problem under hardened-sources. BUT, not applicable to you; running that on a Phenom 9950, so, all of the virtualization support in the proc

----------

## mark_lagace

 *cach0rr0 wrote:*   

> That assumes you can adequately segregate the host OS from the guests on a network level, as well assumes the outside world's access to the host OS will be virtually nil. 

 

That's the crux of the issue right there. How well separated is the host from the guests and how well separated is the host from the net? I'll need to have networking enabled on the host to be able to pass the network interfaces to the guests, but presumably I can leave the interfaces "down" on the host so that the only way to connect to it is locally through the console? I was thinking of the following setup:

Host - physical network cards are here obviously, but interfaces are not initialized.

Virtual server 1 (gateway) - firewall server that would use PPPOE to connect up my DSL and share the network connection to my home network and the other virtual servers.

Virtual server 2 (mail) - postfix, dovecot, spamassassin and clamav. Gets external ports 25(smtp) and 993(imaps) forwarded from the gateway.

Virtual server 3 (web) - apache. Gets external ports 80 and 443 forwarded from the gateway.

Virtual server 4 (fileshare) - samba. Not connected to the outside network, but accessible from the local net (192.168.x.x)

Is this even doable or do I need to have the host connected to the net to be able to connect the virtual servers? Can I use a virtual server as the gateway machine?

----------

## Mad Merlin

 *mark_lagace wrote:*   

>  *cach0rr0 wrote:*   That assumes you can adequately segregate the host OS from the guests on a network level, as well assumes the outside world's access to the host OS will be virtually nil.  
> 
> That's the crux of the issue right there. How well separated is the host from the guests and how well separated is the host from the net? I'll need to have networking enabled on the host to be able to pass the network interfaces to the guests, but presumably I can leave the interfaces "down" on the host so that the only way to connect to it is locally through the console? I was thinking of the following setup:
> 
> Host - physical network cards are here obviously, but interfaces are not initialized.
> ...

 

Certainly you can with KVM (or QEMU), simply create a bridge with no ip that eth0 is plugged into, then bridge the guests into said bridge. It'll make your host function just like a non-managed hardware switch, ie, it passes traffic but is not directly addressable.

You can also create another bridge which isn't connected to any physical interface on the host, which you then plug a guest into as well as plugging the same guest into the first bridge (for 2 virtual NICs in the guest), in this way that guest (only) will be able to reach the host and can function as a login server.

----------

## mark_lagace

KVM isn't an option since my processor lacks Intel-VT/AMD-V, but I'll look into QEMU.

Thanks for the suggestions.

----------

## Mad Merlin

 *mark_lagace wrote:*   

> KVM isn't an option since my processor lacks Intel-VT/AMD-V, but I'll look into QEMU.
> 
> Thanks for the suggestions.

 

I know, but KVM and QEMU are 99% the same aside from KVM being much faster.

----------

## Herring42

 *mark_lagace wrote:*   

> KVM isn't an option since my processor lacks Intel-VT/AMD-V, but I'll look into QEMU.
> 
> 

 

Quick question: How do you tell?

----------

## cach0rr0

 *Herring42 wrote:*   

> 
> 
> Quick question: How do you tell?

 

check for the presence of the 'vmx' or 'svm' flags in /proc/cpuinfo

```

egrep 'flags.*(vmx|svm)' /proc/cpuinfo

```

If you have 'em, it's supported.

----------

