DMZ - Dedicated server or unraid VM

[PullAndPush]

Hi everyone,

 

I am already using Unraid for my home network and am impressed by its agility and simplicity.

 

I also have a dedicated e-mail server/SIEM server in a DMZ VLAN and am now wondering (as the Unraid host is getting bored) whether it makes sense to truncate the DMZ VLAN to the Unraid host and run the e-mail server/SIEM server as a VM?

 

Especially in terms of security (breaking out of the VM and then accessing internal servers) I am undecided here and would like to hear your thoughts on this.

[bmartino1]

Possible yes should you IMHO no.

 

If you did, i would recommend the deny host plugin.
Unraid IMHO is not true enterprise grade software. Its slow to implement security and patches. Some changes due to repositories and packages they use are not always fully up to date. For this reason, I would not trust this system to be a forward facing machine. Is it capable to do so yes.

[ich777]

2 hours ago, bmartino1 said:

I would not trust this system to be a forward facing machine.

I'm not sure if I agree with that since otherwise you shouldn't be forwarding containers.

 

In my opinion it should be safe to put this one VM with it's own dedicated DMZ VLAN on the DMZ (as long as you only put the VM in this VLAN) since the forwarding is done on the Router/Firewall/Switch and as long as your VM running the Mailserver is up to date it should be fine. Sure the VLAN filtering is done on Unraid but that happens on the Kernel level and is part from the Linux network layer which should be considered also safe.

 

On 12/3/2023 at 9:59 AM, PullAndPush said:

breaking out of the VM and then accessing internal servers

That should be in it's own pretty hard since you don't use the Hosts Kernel and is isolated from the Host, but you know nothing is safe, nether VLANs are 100% safe...

 

In my opinion it should be pretty safe and many people run Mail servers in VMs or even Docker containers (which shares the Kernel from the host).

 

This is my opinion on that...