Re: [ovirt-users] ovirtmgmt network security

2017-10-30 Thread Staniforth, Paul
Yes you don't need ovirtmgmt on the VMs and I think if you use passthrough it 
will pin it to the host, probably better to create a DMZ logical network and 
attach the hosts in the cluster to the DMZ VLAN which will allow them to 
migrate and be setup for HA.


Regards,

   Paul S.


From: users-boun...@ovirt.org <users-boun...@ovirt.org> on behalf of Alona 
Kaplan <alkap...@redhat.com>
Sent: 30 October 2017 09:50
To: Luca 'remix_tj' Lorenzetto
Cc: users
Subject: Re: [ovirt-users] ovirtmgmt network security

Hi Istvan,

I agree with Luca. You can remove nic1.
'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no 
vnics (vitrual nics) at all.
The 'ovirtmgmt' network is used for communication between the engine and the 
host.
Whether the vm using the 'ovirtmgmt' network or not won't affect the management 
capabilities.

You said that the vm nic with 'ovirtmgmt' was automatically added when you 
added the vm.
It is strange and shouldn't behave this way. Are you sure that in the add vm 
dialog you didn't choose it as the network of nic1? (you could leave this 
section in the dialog unfilled, it is not mandatory).

BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to the 
edit network dialog of 'ovirtmgmt' (in the Network main tab) and uncheck the 
'vm network' checkbox.

Hope it helps you,
Alona.

On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto 
<lorenzetto.l...@gmail.com<mailto:lorenzetto.l...@gmail.com>> wrote:
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki 
<buki.ist...@gmail.com<mailto:buki.ist...@gmail.com>> wrote:
> Hello,
>
> thank you for your patience for trying to let me see the light.
>
> Indeed I don't understand what you are explaining. Maybe if I give you more
> concrete details it will help.
>
> My internal network is 192.168.196.0
> My DMZ network is 192.168.188.0
>
> ovirt-engine is running on a centos server with IP 192.168.186.3
> ovirt host is on a centos server with IP 192.168.186.4
>
> On the host I created a VM that I want to be in the DMZ. When I created the
> VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
> In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
> 192.168.186.167.
>
> After that I added a host device to that VM using passthrough. This device
> is called ens7 in the VM and I gave IP 192.186.188.4.
> That device is directly connected to my physical DMZ switch and from there
> to the firewall.
> This part is OK.
>
> My problem is that through eth0 my VM has access to my internal network.
> Removing the device seems impossible because this is ovirtmgmt network.
> I can not change or remove the IP of my host because it would not be
> reachable anymore on my internal network.
>
> Maybe the solution is obvious but I can't see it. I'm running in circle with
> this problem and it makes me crazy.
>



Hi Istvan,

why are you using device passthrough?

Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
As far as i can understand, you're directly communicating through DMZ.

Luca


--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , 
<lorenzetto.l...@gmail.com<mailto:lorenzetto.l...@gmail.com>>
___
Users mailing list
Users@ovirt.org<mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users

To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirtmgmt network security

2017-10-30 Thread Luca 'remix_tj' Lorenzetto
Glad to hear it!

You're welcome!

Il 30 ott 2017 9:13 PM, "Istvan Buki"  ha scritto:

> On Mon, Oct 30, 2017 at 10:50 AM, Alona Kaplan 
> wrote:
>
>> Hi Istvan,
>>
>> I agree with Luca. You can remove nic1.
>> 'ovirtmgmt' network is not mandatory on the vm, you can run the vm with
>> no vnics (vitrual nics) at all.
>> The 'ovirtmgmt' network is used for communication between the engine and
>> the host.
>> Whether the vm using the 'ovirtmgmt' network or not won't affect the
>> management capabilities.
>>
>> You said that the vm nic with 'ovirtmgmt' was automatically added when
>> you added the vm.
>> It is strange and shouldn't behave this way. Are you sure that in the add
>> vm dialog you didn't choose it as the network of nic1? (you could leave
>> this section in the dialog unfilled, it is not mandatory).
>>
>> BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go
>> to the edit network dialog of 'ovirtmgmt' (in the Network main tab) and
>> uncheck the 'vm network' checkbox.
>>
>> Hope it helps you,
>> Alona.
>>
>>
> Hi Alona,
>
> Yes, removing nic1 was the solution I was looking for.
>
> You are right, I probably added nic1 during the creation of the VM. This
> is my first ovirt install and I'm a little bit overwhelmed by all the
> details one has to know to create a system that is reliable and efficient.
> Fortunately, thanks to people like you and Luca, I'll be able to overcome
> the initial difficulties.
>
>
> Istvan
>
> On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <
>> lorenzetto.l...@gmail.com> wrote:
>>
>>> On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki 
>>> wrote:
>>> > Hello,
>>> >
>>> > thank you for your patience for trying to let me see the light.
>>> >
>>> > Indeed I don't understand what you are explaining. Maybe if I give you
>>> more
>>> > concrete details it will help.
>>> >
>>> > My internal network is 192.168.196.0
>>> > My DMZ network is 192.168.188.0
>>> >
>>> > ovirt-engine is running on a centos server with IP 192.168.186.3
>>> > ovirt host is on a centos server with IP 192.168.186.4
>>> >
>>> > On the host I created a VM that I want to be in the DMZ. When I
>>> created the
>>> > VM, nic 1 was automatically added and is linked to the ovirtmgmt
>>> network.
>>> > In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
>>> > 192.168.186.167.
>>> >
>>> > After that I added a host device to that VM using passthrough. This
>>> device
>>> > is called ens7 in the VM and I gave IP 192.186.188.4.
>>> > That device is directly connected to my physical DMZ switch and from
>>> there
>>> > to the firewall.
>>> > This part is OK.
>>> >
>>> > My problem is that through eth0 my VM has access to my internal
>>> network.
>>> > Removing the device seems impossible because this is ovirtmgmt network.
>>> > I can not change or remove the IP of my host because it would not be
>>> > reachable anymore on my internal network.
>>> >
>>> > Maybe the solution is obvious but I can't see it. I'm running in
>>> circle with
>>> > this problem and it makes me crazy.
>>> >
>>>
>>>
>>>
>>> Hi Istvan,
>>>
>>> why are you using device passthrough?
>>>
>>> Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
>>> As far as i can understand, you're directly communicating through DMZ.
>>>
>>> Luca
>>>
>>>
>>> --
>>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>>> macchine"
>>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>>
>>> "Internet è la più grande biblioteca del mondo.
>>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>>> John Allen Paulos, Matematico (1945-vivente)
>>>
>>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <
>>> lorenzetto.l...@gmail.com>
>>> ___
>>> Users mailing list
>>> Users@ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>
>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirtmgmt network security

2017-10-30 Thread Istvan Buki
On Mon, Oct 30, 2017 at 10:50 AM, Alona Kaplan  wrote:

> Hi Istvan,
>
> I agree with Luca. You can remove nic1.
> 'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no
> vnics (vitrual nics) at all.
> The 'ovirtmgmt' network is used for communication between the engine and
> the host.
> Whether the vm using the 'ovirtmgmt' network or not won't affect the
> management capabilities.
>
> You said that the vm nic with 'ovirtmgmt' was automatically added when you
> added the vm.
> It is strange and shouldn't behave this way. Are you sure that in the add
> vm dialog you didn't choose it as the network of nic1? (you could leave
> this section in the dialog unfilled, it is not mandatory).
>
> BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to
> the edit network dialog of 'ovirtmgmt' (in the Network main tab) and
> uncheck the 'vm network' checkbox.
>
> Hope it helps you,
> Alona.
>
>
Hi Alona,

Yes, removing nic1 was the solution I was looking for.

You are right, I probably added nic1 during the creation of the VM. This is
my first ovirt install and I'm a little bit overwhelmed by all the details
one has to know to create a system that is reliable and efficient.
Fortunately, thanks to people like you and Luca, I'll be able to overcome
the initial difficulties.


Istvan

On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <
> lorenzetto.l...@gmail.com> wrote:
>
>> On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki 
>> wrote:
>> > Hello,
>> >
>> > thank you for your patience for trying to let me see the light.
>> >
>> > Indeed I don't understand what you are explaining. Maybe if I give you
>> more
>> > concrete details it will help.
>> >
>> > My internal network is 192.168.196.0
>> > My DMZ network is 192.168.188.0
>> >
>> > ovirt-engine is running on a centos server with IP 192.168.186.3
>> > ovirt host is on a centos server with IP 192.168.186.4
>> >
>> > On the host I created a VM that I want to be in the DMZ. When I created
>> the
>> > VM, nic 1 was automatically added and is linked to the ovirtmgmt
>> network.
>> > In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
>> > 192.168.186.167.
>> >
>> > After that I added a host device to that VM using passthrough. This
>> device
>> > is called ens7 in the VM and I gave IP 192.186.188.4.
>> > That device is directly connected to my physical DMZ switch and from
>> there
>> > to the firewall.
>> > This part is OK.
>> >
>> > My problem is that through eth0 my VM has access to my internal network.
>> > Removing the device seems impossible because this is ovirtmgmt network.
>> > I can not change or remove the IP of my host because it would not be
>> > reachable anymore on my internal network.
>> >
>> > Maybe the solution is obvious but I can't see it. I'm running in circle
>> with
>> > this problem and it makes me crazy.
>> >
>>
>>
>>
>> Hi Istvan,
>>
>> why are you using device passthrough?
>>
>> Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
>> As far as i can understand, you're directly communicating through DMZ.
>>
>> Luca
>>
>>
>> --
>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>> macchine"
>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>
>> "Internet è la più grande biblioteca del mondo.
>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>> John Allen Paulos, Matematico (1945-vivente)
>>
>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <
>> lorenzetto.l...@gmail.com>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirtmgmt network security

2017-10-30 Thread Istvan Buki
Le 30 oct. 2017 10:26 AM, "Luca 'remix_tj' Lorenzetto" <
lorenzetto.l...@gmail.com> a écrit :

On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki  wrote:
> Hello,
>
> thank you for your patience for trying to let me see the light.
>
> Indeed I don't understand what you are explaining. Maybe if I give you
more
> concrete details it will help.
>
> My internal network is 192.168.196.0
> My DMZ network is 192.168.188.0
>
> ovirt-engine is running on a centos server with IP 192.168.186.3
> ovirt host is on a centos server with IP 192.168.186.4
>
> On the host I created a VM that I want to be in the DMZ. When I created
the
> VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
> In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
> 192.168.186.167.
>
> After that I added a host device to that VM using passthrough. This device
> is called ens7 in the VM and I gave IP 192.186.188.4.
> That device is directly connected to my physical DMZ switch and from there
> to the firewall.
> This part is OK.
>
> My problem is that through eth0 my VM has access to my internal network.
> Removing the device seems impossible because this is ovirtmgmt network.
> I can not change or remove the IP of my host because it would not be
> reachable anymore on my internal network.
>
> Maybe the solution is obvious but I can't see it. I'm running in circle
with
> this problem and it makes me crazy.
>



Hi Istvan,

why are you using device passthrough?

Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
As far as i can understand, you're directly communicating through DMZ.


Hi Luca,

As I have only one VM in the DMZ currently I assigned the NIC directly to
the VM instead of creating a logical network to get maximum performance and
better security because only the VM can access that network interface. If
one day I have to create another VM inside DMZ I'll create a logical
network and bind the NIC to that network instead of the VM.

OK, I removed nic1 and it looks good. The only interface left is the DMZ
network and I can reach it through the firewall. :-)

Thanks you so much for your help and patience.

Istvan
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirtmgmt network security

2017-10-30 Thread Alona Kaplan
Hi Istvan,

I agree with Luca. You can remove nic1.
'ovirtmgmt' network is not mandatory on the vm, you can run the vm with no
vnics (vitrual nics) at all.
The 'ovirtmgmt' network is used for communication between the engine and
the host.
Whether the vm using the 'ovirtmgmt' network or not won't affect the
management capabilities.

You said that the vm nic with 'ovirtmgmt' was automatically added when you
added the vm.
It is strange and shouldn't behave this way. Are you sure that in the add
vm dialog you didn't choose it as the network of nic1? (you could leave
this section in the dialog unfilled, it is not mandatory).

BTW, if you don't want any VM to use the 'ovirtmgmt' network you can go to
the edit network dialog of 'ovirtmgmt' (in the Network main tab) and
uncheck the 'vm network' checkbox.

Hope it helps you,
Alona.

On Mon, Oct 30, 2017 at 11:26 AM, Luca 'remix_tj' Lorenzetto <
lorenzetto.l...@gmail.com> wrote:

> On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki 
> wrote:
> > Hello,
> >
> > thank you for your patience for trying to let me see the light.
> >
> > Indeed I don't understand what you are explaining. Maybe if I give you
> more
> > concrete details it will help.
> >
> > My internal network is 192.168.196.0
> > My DMZ network is 192.168.188.0
> >
> > ovirt-engine is running on a centos server with IP 192.168.186.3
> > ovirt host is on a centos server with IP 192.168.186.4
> >
> > On the host I created a VM that I want to be in the DMZ. When I created
> the
> > VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
> > In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
> > 192.168.186.167.
> >
> > After that I added a host device to that VM using passthrough. This
> device
> > is called ens7 in the VM and I gave IP 192.186.188.4.
> > That device is directly connected to my physical DMZ switch and from
> there
> > to the firewall.
> > This part is OK.
> >
> > My problem is that through eth0 my VM has access to my internal network.
> > Removing the device seems impossible because this is ovirtmgmt network.
> > I can not change or remove the IP of my host because it would not be
> > reachable anymore on my internal network.
> >
> > Maybe the solution is obvious but I can't see it. I'm running in circle
> with
> > this problem and it makes me crazy.
> >
>
>
>
> Hi Istvan,
>
> why are you using device passthrough?
>
> Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
> As far as i can understand, you're directly communicating through DMZ.
>
> Luca
>
>
> --
> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
> calcoli che potrebbero essere affidati a chiunque se si usassero delle
> macchine"
> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>
> "Internet è la più grande biblioteca del mondo.
> Ma il problema è che i libri sono tutti sparsi sul pavimento"
> John Allen Paulos, Matematico (1945-vivente)
>
> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <
> lorenzetto.l...@gmail.com>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirtmgmt network security

2017-10-30 Thread Luca 'remix_tj' Lorenzetto
On Mon, Oct 30, 2017 at 8:45 AM, Istvan Buki  wrote:
> Hello,
>
> thank you for your patience for trying to let me see the light.
>
> Indeed I don't understand what you are explaining. Maybe if I give you more
> concrete details it will help.
>
> My internal network is 192.168.196.0
> My DMZ network is 192.168.188.0
>
> ovirt-engine is running on a centos server with IP 192.168.186.3
> ovirt host is on a centos server with IP 192.168.186.4
>
> On the host I created a VM that I want to be in the DMZ. When I created the
> VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
> In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
> 192.168.186.167.
>
> After that I added a host device to that VM using passthrough. This device
> is called ens7 in the VM and I gave IP 192.186.188.4.
> That device is directly connected to my physical DMZ switch and from there
> to the firewall.
> This part is OK.
>
> My problem is that through eth0 my VM has access to my internal network.
> Removing the device seems impossible because this is ovirtmgmt network.
> I can not change or remove the IP of my host because it would not be
> reachable anymore on my internal network.
>
> Maybe the solution is obvious but I can't see it. I'm running in circle with
> this problem and it makes me crazy.
>



Hi Istvan,

why are you using device passthrough?

Anyway. If you don't need the VM to access to ovirtmgmt, remove nic1.
As far as i can understand, you're directly communicating through DMZ.

Luca


-- 
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirtmgmt network security

2017-10-30 Thread Istvan Buki
Hello,

thank you for your patience for trying to let me see the light.

Indeed I don't understand what you are explaining. Maybe if I give you more
concrete details it will help.

My internal network is 192.168.196.0
My DMZ network is 192.168.188.0

ovirt-engine is running on a centos server with IP 192.168.186.3
ovirt host is on a centos server with IP 192.168.186.4

On the host I created a VM that I want to be in the DMZ. When I created the
VM, nic 1 was automatically added and is linked to the ovirtmgmt network.
In the VM nic1 becomes eth0 and was assigned an IP address with DHCP
192.168.186.167.

After that I added a host device to that VM using passthrough. This device
is called ens7 in the VM and I gave IP 192.186.188.4.
That device is directly connected to my physical DMZ switch and from there
to the firewall.
This part is OK.

My problem is that through eth0 my VM has access to my internal network.
Removing the device seems impossible because this is ovirtmgmt network.
I can not change or remove the IP of my host because it would not be
reachable anymore on my internal network.

Maybe the solution is obvious but I can't see it. I'm running in circle
with this problem and it makes me crazy.

Again than you for your help.

Istvan


On Fri, Oct 27, 2017 at 7:22 PM, Luca 'remix_tj' Lorenzetto <
lorenzetto.l...@gmail.com> wrote:

> Sorry,
>
> But you didn't understood well what i've said.
>
> If your host has no ip addresses on that network, you're not encountering
> any risk because you've no access to that network at layer 3.
>
> Removing ovirtmgmt is not possibile, that network is mandatory.
>
> Luca
>
>
> Il 27 ott 2017 1:36 PM, "Istvan Buki"  ha scritto:
>
> Hello,
>
> I totally agree on the First part: IP set only on the VM.
>
> For the ovirtmgmt access, if I understand correctly, I have to choose
> between sécurity and ease of management of my VM but I can not have both.
>
> Istvan
>
>
> Le 26 oct. 2017 6:41 PM, "Luca 'remix_tj' Lorenzetto" <
> lorenzetto.l...@gmail.com> a écrit :
>
> Hello,
>
> On the dmz Network you don't need any address configured on the host.
>
> You set ip address only on the vm. If the vm gets compromised, its access
> is limited only to DMZ Network.
>
>  There is no way for the attacker to gain access to ovirtmgmt if vm is not
> configured to use it.
>
> Luca
>
> Il 26 ott 2017 6:32 PM, "Istvan Buki"  ha scritto:
>
>> Hello ovirt experts,
>>
>> I'm totally new to ovirt and trying to learn as fast as I can.So, please
>> bear with me and my possibly stupid questions.
>> Sorry if my questions have been answered already, but please point me to
>> the place where I can find the answers.
>>
>> I've setup ovirt 4.1.6 and created a first VM that I want to expose in a
>> DMZ.
>> I attached a dedicated NIC to the VM using passthrough which is connected
>> to the DMZ network. This is all working as expected.
>>
>> Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in
>> case the security of the VM is compromised and someone get unautorized
>> access to it I do not want the attacker to have access to my internal
>> network through the ovirtmgmt interface.
>>
>> The most secure solution would be to remove that ovirtmgmt interface but
>> then I loose management functionalities.
>> Can you suggest the possible solutions to protect the ovirtmgmt network
>> from unwanted access?
>>
>> Thanks for your answers
>>
>> Istvan
>>
>>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirtmgmt network security

2017-10-27 Thread Luca 'remix_tj' Lorenzetto
Sorry,

But you didn't understood well what i've said.

If your host has no ip addresses on that network, you're not encountering
any risk because you've no access to that network at layer 3.

Removing ovirtmgmt is not possibile, that network is mandatory.

Luca


Il 27 ott 2017 1:36 PM, "Istvan Buki"  ha scritto:

Hello,

I totally agree on the First part: IP set only on the VM.

For the ovirtmgmt access, if I understand correctly, I have to choose
between sécurity and ease of management of my VM but I can not have both.

Istvan


Le 26 oct. 2017 6:41 PM, "Luca 'remix_tj' Lorenzetto" <
lorenzetto.l...@gmail.com> a écrit :

Hello,

On the dmz Network you don't need any address configured on the host.

You set ip address only on the vm. If the vm gets compromised, its access
is limited only to DMZ Network.

 There is no way for the attacker to gain access to ovirtmgmt if vm is not
configured to use it.

Luca

Il 26 ott 2017 6:32 PM, "Istvan Buki"  ha scritto:

> Hello ovirt experts,
>
> I'm totally new to ovirt and trying to learn as fast as I can.So, please
> bear with me and my possibly stupid questions.
> Sorry if my questions have been answered already, but please point me to
> the place where I can find the answers.
>
> I've setup ovirt 4.1.6 and created a first VM that I want to expose in a
> DMZ.
> I attached a dedicated NIC to the VM using passthrough which is connected
> to the DMZ network. This is all working as expected.
>
> Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in
> case the security of the VM is compromised and someone get unautorized
> access to it I do not want the attacker to have access to my internal
> network through the ovirtmgmt interface.
>
> The most secure solution would be to remove that ovirtmgmt interface but
> then I loose management functionalities.
> Can you suggest the possible solutions to protect the ovirtmgmt network
> from unwanted access?
>
> Thanks for your answers
>
> Istvan
>
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirtmgmt network security

2017-10-26 Thread Luca 'remix_tj' Lorenzetto
Hello,

On the dmz Network you don't need any address configured on the host.

You set ip address only on the vm. If the vm gets compromised, its access
is limited only to DMZ Network.

 There is no way for the attacker to gain access to ovirtmgmt if vm is not
configured to use it.

Luca

Il 26 ott 2017 6:32 PM, "Istvan Buki"  ha scritto:

> Hello ovirt experts,
>
> I'm totally new to ovirt and trying to learn as fast as I can.So, please
> bear with me and my possibly stupid questions.
> Sorry if my questions have been answered already, but please point me to
> the place where I can find the answers.
>
> I've setup ovirt 4.1.6 and created a first VM that I want to expose in a
> DMZ.
> I attached a dedicated NIC to the VM using passthrough which is connected
> to the DMZ network. This is all working as expected.
>
> Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in
> case the security of the VM is compromised and someone get unautorized
> access to it I do not want the attacker to have access to my internal
> network through the ovirtmgmt interface.
>
> The most secure solution would be to remove that ovirtmgmt interface but
> then I loose management functionalities.
> Can you suggest the possible solutions to protect the ovirtmgmt network
> from unwanted access?
>
> Thanks for your answers
>
> Istvan
>
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] ovirtmgmt network security

2017-10-26 Thread Istvan Buki
Hello ovirt experts,

I'm totally new to ovirt and trying to learn as fast as I can.So, please
bear with me and my possibly stupid questions.
Sorry if my questions have been answered already, but please point me to
the place where I can find the answers.

I've setup ovirt 4.1.6 and created a first VM that I want to expose in a
DMZ.
I attached a dedicated NIC to the VM using passthrough which is connected
to the DMZ network. This is all working as expected.

Now,I'm wondering what to do about the ovirtmgmt interface. Obviously, in
case the security of the VM is compromised and someone get unautorized
access to it I do not want the attacker to have access to my internal
network through the ovirtmgmt interface.

The most secure solution would be to remove that ovirtmgmt interface but
then I loose management functionalities.
Can you suggest the possible solutions to protect the ovirtmgmt network
from unwanted access?

Thanks for your answers

Istvan
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users