VM is able to access host network somehow, very strange

[naskoboy]

Hi friends,

I have a TrueNAS installed on X9SCM-F - this motherboard comes with 2 physical network ports.
1st port is linked to the LAN interface (192.168.1.0/24) of my opnSense
2nd port is linked to the DMZ port (10.20.0.0/24)
DHCP enabled on both.

I created VM, passed through the 2nd physical port and installed Ubuntu.
I was hoping that this VM would be isolated (since subnets don't match) meaning it would not have access to my LAN.
Unfortunately, from within VM vnc shell I was able to ping the TrueNAS machine and also "wget -0- 192.168.1.200" ?
how is this possible ?
thanks

 

[jgreco]

Hi friends,

I have a TrueNAS installed on X9SCM-F - this motherboard comes with 2 physical network ports.
1st port is linked to the LAN interface (192.168.1.0/24) of my opnSense
2nd port is linked to the DMZ port (10.20.0.0/24)
DHCP enabled on both.

I created VM, passed through the 2nd physical port and installed Ubuntu.
I was hoping that this VM would be isolated (since subnets don't match) meaning it would not have access to my LAN.
Unfortunately, from within VM vnc shell I was able to ping the TrueNAS machine and also "wget -0- 192.168.1.200" ?
how is this possible ?
thanks

Because you've got a router, opnSense, and this will happily route traffic from one network to the other. This is literally how the Internet works. You can reach the machine that runs truenas.com because you have a series of routers that connect each network to the next. You don't own or operate most of them, of course, your service provider and their upstreams do, but there is nothing about "subnets don't match" that would prevent this from working. Your opnSense router knows about both networks, so if it sees traffic come in on one network addressed for an IP on the other network, it does as designed and delivers it.

If you want to make a DMZ, you need to install appropriate firewall rules to prevent the traffic.

 

[naskoboy]

@jgreco - makes sense, thanks.
If appropriate firewall rules are put in place, do you see security problem with this idea:
TrueNAS port1: linked to LAN port
TrueNAS port2: Ubuntu VM (with web server installed) linked to DMZ port of OpnSense, meant to be exposed to Internet

so, my hope is that if VM is compromised bad guys would not be able to reach my LAN at all.
is this a feasible idea ?
thanks

 

[jgreco]

It's a matter of how much you trust all the bits. There's been a long running discussion about "virtualization security" for about as long as VMware's had a commercial product. The basic argument is that virtualization is fine unless they find some way to break out of the VM and into the hypervisor, or there's a mistake in your firewall, or something like that.

Firewalls, however, aren't really what people think. You can watch all these sci-fi shows or spy movies where people claim to be able to get through a firewall in a given amount of time. Total BS in most cases.

But here's the other thing. Security is really more about convincing the baddies to go bother someone else. I like to explain to the padawans like this. Everything's vulnerable with enough resources. Close a door? I can kick it down. Steel door? I got a crowbar. Locked safe? Light explosives. Etc. You can keep going right on up to Fort Knox. I guarantee that a properly resourced adversary could get into Fort Knox. It might not be practical to set that up though. If a bad guy is out to get you specifically, they can. And maybe not in any of the ways you imagine.

So I try not to get unduly uptight about all the ways that security could fail in plausible but unlikely ways. If you keep up on patches, it is unlikely someone will get in. Not impossible. Plan for that case too.