Docker Container Network Isolation - Possible to Do? Safer?

[eric90000]

Hey guys,

 

I would like to run a game server on my UnRaid machine (Binhex Minecraft Server Docker container), and open it up to the internet via port forwarding so that friends outside of my network can join. The fear I have currently is that my server is on my main network VLAN, which has all of my other computers, mobile devices and other important things on it. The server itself also has other Docker containers and file shares, which share the same physical NIC connection and IP address to my router. This main VLAN can also speak to other VLANs I have in my home such as security cameras, IoT devices etc. Obviously anything exposed to the internet via open ports on a router is a risk in itself, and if something were to go wrong such as an intrusion or attack, then I could find myself in a situation where they have access to my home network right?.....at least I think this could happen? 

 

I had thought about building a dedicated machine for exposed services such as game servers, and making a separate VLAN for it with rules to isolate it from the main network so it can speak ONLY to the internet and nothing else. However this involves extra cost that I would rather not have to do considering I have a perfectly working UnRaid server as it is.

 

I have been reading up on Docker networks and various NIC setups etc, and it seems like I could potentially segregate the Minecraft Docker container without having to spend too much money. I think this would mean even if someone managed to get in, they wouldn't be able to access anything else on the server/network right?

 

With this in mind, would it be possible to install a separate NIC in the server, and connect it to my network via a separate physical cable (assigning it with a separate VLAN and isolating that network in the process), or could I potentially achieve this with the single onboard NIC I am currently using, and utilise some sort of VLAN tag that is only used by that container? I am in the Ubiquiti Unifi ecosystem, and I currently  already have this server on a VLAN.

 

Please let me know if I am completely overthinking this safety/paranoia wise - I have a habit of going over the top unnecessarily with security. If there's a better way to open up a docker container to the internet, while keeping the server and network safe I am all ears! Thanks guys

 

Edited February 23, 2022 by eric90000

[Ystebad]

You can definitely isolate the server to a separate vlan and then isolate that vlan from the rest of your network.  If that program is compromised it would then not have access to the rest of your network so for outward facing services (especially since that very program had recent vulnerabilities) it is a wise idea.

 

 

[eric90000]

4 minutes ago, Ystebad said:

You can definitely isolate the server to a separate vlan and then isolate that vlan from the rest of your network.  If that program is compromised it would then not have access to the rest of your network so for outward facing services (especially since that very program had recent vulnerabilities) it is a wise idea.

 

 

 

 

OK awesome, this is what I needed to hear! Thanks for the link. Looks like I can do it with the single built in NIC right? Just a case of setting up the VLAN on the server and on my network. I'll do some more digging into this to figure it out! Thanks again

[Ystebad]

Yes you do not need two NICS.  those with more expertise might argue using a second would be more secure as there are some potential security issues but unless you are setting up actual separated subnets with different physical switching most of those are going to exist in the vlan world anyway and unless you’re a very high value target those with the skills to actually penetrate those vulnerabilities will likely be looking elsewhere.