create a truly secure DMZ VM

[naskoboy]

Hi friends,

I need to run an Internet facing web server (along with few other services).
Having a separate physical DMZ machine (along with proper port forwarding in the firewall) is seemingly the simple approach. However I was hoping to reduce the number of boxes/wires and possibly having all this securely running off TrueNAS Core.
So my grand plan is this:

1) in my OpnSense firewall configure a DMZ interface (separate subnet incompatible with the LAN)
2) create a new jailed VM and assign it a dedicated DMZ network interface (I can plug additional PCI NIC-card, right), IP address (static or DHCP) linked to the DMZ interface from OpnSense.
3) Install Ubuntu and everything else I need in that new jailed VM

So my naive thinking (If possible at all) is that this web-server will be completely insulated from my LAN. So if bad guys find way to break into my jailed Ubuntu, my LAN would be still safe.
Is this possible ?
I will have to do tons of reading since I don't know how to do it but I would appreaciate your opinion about is this possible ? is this safe ? are there any other concerns I should be aware of ?
If you could point me to the right direction pls.

thanks

 

[jgreco]

Think you're a little confused.

A jail is a FreeBSD construct that controls aspects of the filesystem namespace, potentially a virtual networking stack, and other things but does so using the running kernel of an existing FreeBSD host. A jail shares large bits of the existing host, except where it doesn't.

A virtual machine is an entirely new kernel running in a virtual environment, able to run a full (and potentially different) operating system.

Both constructs can support a variety of network setups. If you want to run OPNsense, then you need to run that in a virtual machine. You can definitely set up a DMZ webserver setup in a jail.

 

[naskoboy]

@jgreco thanks for lightning fast reply!
Since I plan to use Ubuntu as host for my web-server, looks like I would need a "VM" (not just jail which is limited to FreeBSD) right ?

You seem to suggest having OpnSense also running in VM on TrueNAS - (if possible) would that be a reasonable from security perspective ?
I want to make sure from that no attack can be launched to my LAN if web-server is compromised.

regarding the "additional NIC" approach above - does it look reasonable to you ?

thanks

 

[danb35]

Personally, I prefer to have my edge device on dedicated hardware. Given that, and the understanding that nothing you'd be doing involves a jail, your plan sounds sound. VLANs should be able to do it without needing a dedicated NIC for the VM (or a separate NIC on the router), as another alternative, though it would likely require a managed Ethernet switch, which you may not have.

Is it as safe as using dedicated hardware for the webserver? No; in principle you could be subject to security vulnerabilities in bhyve which could allow an attacker to break out of the VM. I'd expect the likelihood of such a vulnerability to be pretty low, but it isn't zero.

 

[MrGuvernment]

As noted above Opnsese should remain as its own device if it is already. This also keeps internet up if you work on your TrueNAS system (i run pfsense myself)

1. VLAN for your DMZ
2. Rules in Opnsense to be sure any "allow all" rules you have for other VLANS block access to the DMZ LAN (DMZ VLAN by default will have no rules, so nothing should be able to go out from it, but your other VLANS may have Allow All rules which would allow them IN to the DMZ)
3. If not already, pfblocker (if there is an Opnsense version?) to geo block every country you do not want access to your site.

As dandb35 said, sure, possible one day someone might get into your webserver, and then try to escape the VM, or VLAN hop (is also possible) to get into your other VLANs, while chance may be low, it is not a matter of if, but when.

Curious, do you need to host this website at your home? Or could you just pay for some cheap webhosting from gandi or someone and be done with it?

What kind of website, and how secure is the base? (wordpress with a bunch of plugins and themes) or something custom?

 

[naskoboy]

@danb35, @mrGuver I hear what you are saying, thanks

1) I do have OpnSense on separate box and intend to keep it this way.

2) re DMZ: I do have a spare "HP T620 thin client" I might repurpose to host my webserver, this way my FreeNAS would be kept completely sealed away from Internet and therefore "escape the VM, or VLAN hop" risk would be eliminated altogether, right ?
I don't need a managed switch to implement that, right ?

3) re webserver: it's custom, involves Java app + Postgresql + Subsonic - so I need some sort of "compute engine" somewhere incl. 30GB storage. AMZ Lightsail is being considered.

More cables/boxes in my living room :( but seems to be well worth it.

 

[danb35]

I don't need a managed switch to implement that, right ?

If you're using a separate physical NIC on your router, no, you wouldn't need a managed switch.

I do have a spare "HP T620 thin client" I might repurpose to host my webserver, this way my FreeNAS would be kept completely sealed away from Internet and therefore "escape the VM, or VLAN hop" risk would be eliminated altogether, right ?

Presuming your firewall rules are set properly, and that box isn't directly connected to your LAN, yes.

 

[MrGuvernment]

I tend to go over the top with things like this, so, as well as TrueNAS may be built, exposing it to the internet to me just sounds like a massive potential risk. (Exposing anything is really, but of course we need to right!) especially when it comes to storage, it should never see the light of day!

AWS may be your way to go if you just want to avoid having to worry about hosting all of this yourself, security of your own network, keeping the underlying OS and such all patched and up to date, and pending on usage, may not cost as much, and cost far less in terms of worry factor, and if you are not sure if your coding skills are secure, just one more reason to keep things off your own network.

Don't get me wrong, it is great to set up your own web servers and run things your self (have your TST env on your home network), you learn a lot, but there also comes a time when it can just be easier to use something that already exists.

 

[danb35]

as well as TrueNAS may be built, exposing it to the internet to me just sounds like a massive potential risk

Sure, but there's a huge difference between exposing the NAS itself, and exposing a VM (or jail) running on the NAS. There's still some risk in the latter, but far less than the former.

 

[naskoboy]

here is another crazy idea to entertain:
1) create a VM in TrueNAS
2) properly expose that VM1 to Internet (DMZ rules on firewall, etc.).
3) install Proxmox in that VM1
4) create 2nd VM in Proxmox
5) install Ubuntu/webserver in the 2nd Proxmox VM

Does it buy me anything in terms of security ?
thanks

 

[danb35]

Not really, and there's a good chance that nested virtualization wouldn't work anyway.

 

[naskoboy]

@danb35 In Proxmox I heard people installing TrueNAS (I assume along with VMs) - isn't that a "nested virtualization" ?
If that works perhaps it would work the other way around too ?
thanks

 

[danb35]

In Proxmox I heard people installing TrueNAS (I assume along with VMs)

Why would you assume that? I can understand virtualizing TrueNAS. But if you already have a good hypervisor available (be it Proxmox, ESXi, xcp-ng, etc.), why on earth would you put a VM in TrueNAS rather than in the main hypervisor itself?

 

[naskoboy]

Why would you assume that? I can understand virtualizing TrueNAS. But if you already have a good hypervisor available (be it Proxmox, ESXi, xcp-ng, etc.), why on earth would you put a VM in TrueNAS rather than in the main hypervisor itself?

I wouldn't do that ! I was only trying to find proof that "nested virtualization" is possible - and if so, then my "crazy" idea above is possible (Proxmox in TrueNAS VM) and then I hoped to make it much harder for bad guys to break out of 2 layers of virtualization.
I got carried away, sorry :)