Virtual Machine query

[DocYoda]

Hi. We have a 7950X with 64GB of RAM in the lab. I was thinking of installing a VM for access for the staff to their computers. Here is the diagram.

The main server from the external network is an SQL database server that we access in the lab. The IT of the main server will not grant access unless we have a PC which is not connected to the internet. I was wondering if installing a virtual machine on this dual WAN PC in order for us to have access from this SQL server. Is there a way to configure the VM to have no internet access but have access to their SQL server via LAN1? Once this is done can the clients in the local network access the VM via their PC? 

 

 

[LIGISTX]

5 minutes ago, DocYoda said:

Hi. We have a 7950X with 64GB of RAM in the lab. I was thinking of installing a VM for access for the staff to their computers. Here is the diagram.

The main server from the external network is an SQL database server that we access in the lab. The IT of the main server will not grant access unless we have a PC which is not connected to the internet. I was wondering if installing a virtual machine on this dual WAN PC in order for us to have access from this SQL server. Is there a way to configure the VM to have no internet access but have access to their SQL server via LAN1? Once this is done can the clients in the local network access the VM via their PC? 

 

 

Is this server fully air gapped from the outside world? Sounds like it is if it nor any clients that access it can be on the internet. 
 

If that is the case… I’m assuming the air gap isn’t there just for fun, and as such, no, whatever data lives in that server is probably intended to not be internet facing, and the client machines which are internet facing would defeat that purpose. 
 

Unless I am misunderstanding the topology…

[Electronics Wizardy]

This feels like a work with IT to solve the problem. Working around IT can cause a mess.

 

Why does the pc need dual lan? Just connect it to the switch like every other device. 

 

Yea you can setup a firewall for the vm so it has access to the main server and the clients, but not the rest of the internet. 

 

 

[leadeater]

Just ask for a meeting and come up with a viable compromise that everyone agrees to

[DocYoda]

1 hour ago, LIGISTX said:

Is this server fully air gapped from the outside world? Sounds like it is if it nor any clients that access it can be on the internet. 
 

If that is the case… I’m assuming the air gap isn’t there just for fun, and as such, no, whatever data lives in that server is probably intended to not be internet facing, and the client machines which are internet facing would defeat that purpose. 
 

Unless I am misunderstanding the topology…

I am not so familiar how they air gapped their servers. But to my knowledge, this server has security protocols with their own configurations. This server only accomodates the whole "local network" (this is a hospital and different departments access their database e.g. pediatrics, surgery, radiology, pathology lab). Database cannot be accessed outside the network (outside the hospital). Each department has its own local network. We belong to the pathology lab dept. We setup our own local network for our own files like tissue images from specimens and other files which we only utilize our selves. After we make lab reports it is then forwarded to a dropbox which will be managed by the IT deparment for database deployment. Other data like blood tests are managed by the external server which is linked to the whole hospital. Since we have our own local network, we wanted a computer to be connected to this external server to have access to other files. We have access PCs but are located in other sections of the lab which is inconvenient. So the intention of this is basically access within our area to the external server. And to note, since our PCs have our own ISP the IT does not grant access to their servers if our PCs are connected to the internet via our own ISP. 

 

 

1 hour ago, Electronics Wizardy said:

This feels like a work with IT to solve the problem. Working around IT can cause a mess.

 

Why does the pc need dual lan? Just connect it to the switch like every other device. 

 

Yea you can setup a firewall for the vm so it has access to the main server and the clients, but not the rest of the internet. 

 

 

 

We wanted an access from one of our PCs which is connected to the internet (our own ISP. other depts also have their own ISP). The IT dept have their own ISP as well. The PC I am referring to has a motherboard with dual LAN, a 2.5G and a 10G. The 10G NIC connects to our 10G switch. I intend to connect the 2.5G to the external network. 

1 hour ago, leadeater said:

Just ask for a meeting and come up with a viable compromise that everyone agrees to

Already did. Since we have our own set of PCs for our local dept network for internet access with a different ISP which is separate from the ISP of the hospital, they wont grant access because of that. So I intend to have this if this is possible, to install a VM in one of the PC for the sole purpose of access to the external server. 

[Kilrah]

27 minutes ago, DocYoda said:

Already did. Since we have our own set of PCs for our local dept network for internet access with a different ISP which is separate from the ISP of the hospital, they wont grant access because of that. So I intend to have this if this is possible, to install a VM in one of the PC for the sole purpose of access to the external server. 

In theory yes, but our answers still don't matter since they'd have to be the ones to say if that's acceptable to them or not, and it probably won't be. 

If the server is airgapped and they want an airgapped client for connecting to it that's for a reason, and something that might at some point not be anymore due to any kind of bug, misconfiguration, virus/attack won't be acceptable.

[leadeater]

7 hours ago, DocYoda said:

And to note, since our PCs have our own ISP the IT does not grant access to their servers if our PCs are connected to the internet via our own ISP. 

Why do you have your own internet connection? No wonder they don't allow your self run network to access their resources. It's a trust issue, not so much trust if you can run your own network properly, it is that too, but you've removed visibility and security controls from them and since hospitals have very real liability and legislative requirements don't ever expect to be allowed to access secure resources that would fall under that type of thing. FYI those would also apply to yourselves where relevant so fair warning in this regard.

 

I'm sure what you have done is out of convenience and computers on the main hospital network came with usability issues that affected work capabilities but do remember it's not like IT departments actually want to be a problem or want to have inanely complicated and burdensome networks, compliance brings with it many things nobody wants to do.

 

You would be better off asking them for a RDS server or VM that you can RDP in to from any of your own network computers to access the database as required. However you may not be able to access your own resources from this RDS/VM server if this is required. It would be more likely that the main IT would allow access from this RDS/VM server in to your network on specific ports through their firewall though.

 

This is a situation where you need them to provide something to you that is suitable for your needs. Go up the management chain if you have to.

[Enigma147]

3 hours ago, leadeater said:

Why do you have your own internet connection? No wonder they don't allow your self run network to access their resources. It's a trust issue, not so much trust if you can run your own network properly, it is that too, but you've removed visibility and security controls from them and since hospitals have very real liability and legislative requirements don't ever expect to be allowed to access secure resources that would fall under that type of thing. FYI those would also apply to yourselves where relevant so fair warning in this regard.

 

I'm sure what you have done is out of convenience and computers on the main hospital network came with usability issues that affected work capabilities but do remember it's not like IT departments actually want to be a problem or want to have inanely complicated and burdensome networks, compliance brings with it many things nobody wants to do.

 

I wholehaearted agree. 

 

And another little nugget to think about, would you or you're department like to be responsible and maybe be held financially responsible  for the mayhem when the hospital is no langer able to function when the  network is hacked, malware infected or fully encrypted by ransomware, because of your "solution" ?  

 

It is hard enough to keep everything save from attackers, without departments going rogue because the think they know better. (which they never do) 

[DocYoda]

On 4/24/2023 at 5:16 PM, leadeater said:

Why do you have your own internet connection? No wonder they don't allow your self run network to access their resources. It's a trust issue, not so much trust if you can run your own network properly, it is that too, but you've removed visibility and security controls from them and since hospitals have very real liability and legislative requirements don't ever expect to be allowed to access secure resources that would fall under that type of thing. FYI those would also apply to yourselves where relevant so fair warning in this regard.

 

I'm sure what you have done is out of convenience and computers on the main hospital network came with usability issues that affected work capabilities but do remember it's not like IT departments actually want to be a problem or want to have inanely complicated and burdensome networks, compliance brings with it many things nobody wants to do.

 

You would be better off asking them for a RDS server or VM that you can RDP in to from any of your own network computers to access the database as required. However you may not be able to access your own resources from this RDS/VM server if this is required. It would be more likely that the main IT would allow access from this RDS/VM server in to your network on specific ports through their firewall though.

 

This is a situation where you need them to provide something to you that is suitable for your needs. Go up the management chain if you have to.

 

21 hours ago, Enigma147 said:

I wholehaearted agree. 

 

And another little nugget to think about, would you or you're department like to be responsible and maybe be held financially responsible  for the mayhem when the hospital is no langer able to function when the  network is hacked, malware infected or fully encrypted by ransomware, because of your "solution" ?  

 

It is hard enough to keep everything save from attackers, without departments going rogue because the think they know better. (which they never do) 

 

We have our own internet because we also access our files remotely. Bandwidth allocation in our lab can accomodate only a few PCs and is limited. Aside from that BW limit, we use it for our zoom meetings, online trainings and lectures. A simple search of a disease entity with the word like "breast", "vagina" gets blocked. This is a pathology lab and those are one of the common terms. This own internet was requested through the admin and it was approved and this was very useful at the height of the covid pandemic. The hospital provided us with a couple of workstations, a UDM-SE, couple of 10GbE switches and NAS systems. We process tissue imagings ranging from 500MB-1.5GB a single file. This is one of the reasons we have our own ISP and a separate local network. There is a virtual drop box where we drop our files for data archiving forwarded to medical records which is managed by the IT dept. Some of the technical details of this networking stuff in the hospital is partly handled by a 3rd party IT company. I understand why with some restrictions hence we requested for a separate independent network. I have to get back to them and discuss with them what we really intend to have from one of the PCs in this separate network. Our dept just want to have access to a particular database (patient database, lab testing data) for us to integrate with our diagnostic findings. So in one of our workstations, if has dual LAN. a 10GbE and a 2.5GbE. I was wondering if making a VM in this workstation and somehow if it can connect from the secondary 2.5GbE LAN to one of their database server. During one of our meetings, they mentioned this database server is based on an "application server". Is it possible to have this VM access to this application and within our separate local network other PCs will connect to this VM and access that just "read only". Thank you for your inputs. 

 

 

[leadeater]

12 hours ago, DocYoda said:

We have our own internet because we also access our files remotely. Bandwidth allocation in our lab can accomodate only a few PCs and is limited. Aside from that BW limit, we use it for our zoom meetings, online trainings and lectures. A simple search of a disease entity with the word like "breast", "vagina" gets blocked. This is a pathology lab and those are one of the common terms. This own internet was requested through the admin and it was approved and this was very useful at the height of the covid pandemic.

You shouldn't need your own connection though, different internet filtering rules can be applied to groups of users or subnet (your office area) etc. What you had definitely was a problem but could also be provided with a solution without a separate internet connection.

 

Not that it matters a whole lot since there is almost always multiple solutions to a problem and some are easier to achieve than other ways, or one that you have control over becomes the easier option like getting your own internet connection.

 

Is the main hospital internet connection not all that high bandwidth? Just curious overall since here we have very good access to very high speed connection options, 10Gb and 100Gb for example.

 

One thing that is possible is to get a second ISP connection provisioned in the main IT server room connected to their firewall but have the ruleset and network routing configured so that only your area utilizes that connection. It's a good way to expand bandwidth, ensure it's dedicated for the right purpose and maintain security visibility. Not that I'm really suggesting such a change but it's good to think about possibilities like this.

 

12 hours ago, DocYoda said:

Some of the technical details of this networking stuff in the hospital is partly handled by a 3rd party IT company.

Yea that can get annoying, support companies like to keep things configured the way they like that suits them and keeps support cost down. They don't always have the best interest of the customer in mind or the best possible outcomes usability wise. Speaking from working in such a company and role in the past.

 

Generally speaking I don't like fully managed by 3rd party contracts because it more often results is worse outcomes, but it has it's place too.

 

12 hours ago, DocYoda said:

I was wondering if making a VM in this workstation and somehow if it can connect from the secondary 2.5GbE LAN to one of their database server. During one of our meetings, they mentioned this database server is based on an "application server". Is it possible to have this VM access to this application and within our separate local network other PCs will connect to this VM and access that just "read only". Thank you for your inputs. 

Do you know what the database server engine actually is? If it's Microsoft SQL Server maybe ask if it's possible to setup customized views that have only the necessary data you need and then configure database replication of just those views to a VM you host that is also running SQL server then you can use that database server to access the data you need. If you just need database access and not the application this is a common way to achieve what you need and it's quite a secure way of doing it.

 

This way also means you won't have any potential way to have a negative performance impact on their server since you are only running queries on your own database server.