Should the virtualization host be allowed to run any service?

security backup ubuntu vpn virtualization

The virtualizaton host should be the most secure machine you have. The most secure machine is one that is not connected to a network at all ;-)

Having that in mind it is best not to offer any services on your public interfaces. You should not even have an IP there (a bridge for VMs is layer2).

Think of the VM-host as DMZ: traffic into it is forbidden, originating no problem.

So in your example:

  • VNC: Bad - this is an incoming service
  • Backup: No problem - sessions are initiated from here to the outside

But even then - you should only run services that will not eat up RAM/CPU/IO on your VM-host - else your VMs will suffer from lack of resources.


I'd suggest separating the VPN functions to a hardware-based firewall or separate device... E.g. what happens if the server is down?

But in lieu of that, it is possible to use your existing virtualization host as the terminus for your VPN. Backups aren't necessarily a problem either.

This sounds like a small setup (what type of hardware are you using?), but if you're asking, maybe you have some reservations? Why do you think it may not be a good idea?

Related

VMWare ESXi: how to add network drivers to installation?
Disable SSL / TLS compression in Apache 2.2.x
Best strategy to keep chef cookbooks versions under control
calculating days until disk is full
Hostnames in HAProxy configuration file
Virtualisation management: should Vcenter, Veeam etc be on a physical machine or VM?
Demoted domain controller still authenticating users
How to find out capacity for network interfaces?
Amazon RDS On-Demand DB instance to Reserved instance
Munin Postgres plugins: DBD::Pg not found
nginx fails to load a file - ssl certificate - even if its clearly there
Should I use cron.hourly or crontab?