Hyper-V - how secure / separate are the NIC's from the main OS?

MrGuvernment

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
21,573
Currently I am running Hyper-V via Windows 10 Pro.

I wasn't able to do ESXi due to GPU pass through being too flaky so I just did an install of Windows 10 and using Hyper-V for my home lab.

My question is, I run a separate physical PFsense firewall but i would love to run it all from my home lab box and cut back on another device. (server grade hardware including the NIC's)

My concern is, how separate / secure are NIC's when they are assigned to be used in Hyper-V from the Core OS?

Extreme example here, if my Windows 10 for some reason got compromised and I was too blind to notice, could someone "access" the Hyper-V nics to sniff traffic going to the VM's?

I know when you install Hyper-V on Windows it really goes into the OS...
 
If someone compromises your hypervisor, yes, they'll have access to pretty much everything virtualized.
 
Was kind of my thought, is you are essentially exposing Windows 10 to the internet directly and relying on Windows Firewall to protect you and then the Hyper-V layer.
 
Well, no. Now you're kind of diverging from your original question a tad. If you pass through hardware to a guest VM, that does limit your exposure a little bit.
Internet in ---> physical NIC --> passthrough pNIC to pFsense ("WAN" NIC) --> virtual NIC ("LAN" NIC) --> different pNIC out to LAN

You're still exposed a bit, but less. Not that ESXi is impervious to attacks, but it's certainly more secure. pFsense doesn't need much hardware though, no need to be running like a Xeon or anything like that...
 
Eulogy said:
Well, no. Now you're kind of diverging from your original question a tad. If you pass through hardware to a guest VM, that does limit your exposure a little bit.
Internet in ---> physical NIC --> passthrough pNIC to pFsense ("WAN" NIC) --> virtual NIC ("LAN" NIC) --> different pNIC out to LAN

You're still exposed a bit, but less. Not that ESXi is impervious to attacks, but it's certainly more secure. pFsense doesn't need much hardware though, no need to be running like a Xeon or anything like that...
Click to expand...


Problem is Hyper-V on windows 10 does not support hardware pass through of anything like NIC's, only GPU's for RemoteFX. It appears all of the powershell commands are there, but they do not work and give errors :(
 
Ah. That'd be a non-starter for me then. Way too many attack vectors for my taste. Good luck!
 
So you virtualize the adapter and disable host access... Then only the VMs attached to the vNIC will be able to use it. If it's the WAN port, only add to pfsense. Plenty of people virtualize pfsense on hyperV doing just that, myself included. But that's also on a dedicated server, it would be pretty dumb to use your daily machine as a VM host for mission critical stuff like that.
 
Biznatch said:
So you virtualize the adapter and disable host access... Then only the VMs attached to the vNIC will be able to use it. If it's the WAN port, only add to pfsense. Plenty of people virtualize pfsense on hyperV doing just that, myself included. But that's also on a dedicated server, it would be pretty dumb to use your daily machine as a VM host for mission critical stuff like that.
Click to expand...
Right. We do that in ESXi all the time as well. From the way the OP sounds though, this is on his personal machine, so he'd at least have to invest in a NIC to do this, if I had to guess (preferrably a 2 port, so he can have WAN on one, LAN on the other to a switch). As-is though, I don't think OP can do what is asked without compromise.
 
That was why my main question was how separate is the Hyper-V driver layer from Windows it's self since this is my daily driver. As I had heard that Hyper-V loads before the main OS it could technically be isolated from the Windows 10 enough. Really this is just about me getting rid of another box to have and converging into less gear.

I do have plenty of NICs, I have 3 Qlogic Dual port nic's in this plus 2 integrated on the mobo.

So really at this point then the main concern is not so much running PFsense with in Hyper-V an that host being on then internet directly, but more so because this is my daily driver, if i did in fact get infected with in Windows 10, that would then expose everything. Just to not, I would not be considering something like this for a work environment or any production gear, this is 110% my home system and lab.

But on that note, since this is soley a home lab and nothing critical or anything, if my Windows 10 gets infected anyways, it would get wiped and redone (knock on wood I have not been infected or hacked since back in the Windows 2000 days when some french hacker got into my computer)

I really wish ESXi 6.5 wasn't a flake-tastic piece of crap with GPU pass through and even Server grade NICs these days because then my original plan would of been in play and having my Main rig as a VM with pass through.
 
You must log in or register to reply here.
Back
Top