It's not the best solution, of course - ideally you would have a separate VM host for DMZ guests. If you do choose to go this way though, some points you should take into account:
The obvious one first: someone can use an exploit to escape the VM jail and so compromise your LAN hosts from the DMZ. So you should really keep up with patches both on DMZ guests and host, and then hope for the best.
Mistakes in the configuration have serious consequences. Think, for example, of the possibility you or some else assigns NICs both on the DMZ and the LAN to some host. Now your DMZ and your LAN are the same thing. Of course you can prevent this by enforcing procedures and just being competent, but you see how you could say you end up with a more fragile environment.
That said, it's still better than not having a DMZ at all so it can be a good stop-gap solution if you can't use a separate host right now. Just keep in mind that it's not as safe as having your DMZ guests on a separate host and real network.
Public bridging
If you have only one NIC on the KVM host and you want to have access for the VMs to main network attached to eth0
interface you have to setup a public network bridge on top of your physical network interface (eth0
in the example):
Without bridging you have something similar in /etc/network/interfaces
:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.101
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
To setup a bridge replace the eth0
part by:
# The primary network interface
auto br0
iface br0 inet static
address 192.168.0.101
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
bridge_ports eth0
bridge_stp off
bridge_maxwait 5
and sudo ifup br0
or reboot the machine. Note the bridge_ports eth0
part, it links the bridge on your physical nic and give access to the bridge at the main network.
Host-Only (Private bridging)
By creating a public bridge you can have your virtual machines have access between them by the network attached to eth0
. If you need to have only access between VMs on the same host, you can use a private bridge (so you mantain your eth0
configuration and you don't bind your network interface to the bridge, bridge_ports none
). In your interfaces configuration files you'll have:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.101
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
# The private bridge
auto br0 inet static
address 172.16.0.1
netmask 255.255.255.0
network 172.16.0.0
broadcast 172.16.0.255
bridge_ports none
bridge_stp off
bridge_fd 0
bridge_maxwait 0
and sudo ifup br0
or reboot the machine.
You can use the new created bridge, public or private (br0
) as network device for KVM virtual machines. This step changes if you use vanilla qemu/kvm cli or if you use some management tools (virsh, virt-manager, ovirt, proxmox, etc.)
Guest configuration
In both case you can configure your virtual machine like a normal host with a network interface on network, and you can have in /etc/network/interfaces
something similar to (example for network 192.168.0.0/24):
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.102
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
Some useful documentation:
Best Answer
I would say the main risk would be any exploit that allows someone to break out of the VM and attack the host. This has happened with VMWare before. So this would put your LAN at a higher risk from the DMZ than totally isolated machines, but I wouldn't say it's stupid either. Just depends on how secure it really has to be...
Also take into account this sounds a little more 'complicated', and therefore you might be more likely to overlook something. I bet more security is hacked because of Administrative mistakes than exploits.
One more thing to think about is if you work in place / industry that might have audits. Even if this method is no less secure really, there might be some BS audit rule about the DMZ and LAN residing on the same physical server.