My last KVM blog entry showed how to install all the prereqs and do the initial install of the virtual machine to host your IDS toy instances.

To really start playing we'll need networking of course.
I'm not going into the details explaining every single line of config, much better explanations are already written on the web. But I'll try to give a reasonable overview.

To connect the VMs both to the outer world and between themselves we'll need a kind of virtual switch running on host machine and "wire" network interfaces in VMs to it.
We'll use virtual TUN/TAP network interface and promote it to the virtual switch using VDE utility.
The following network config is for Debian/Ubuntu and similar Linux distros. Please adapt it for RedHat-like ones and others.

First, configure new TUN/TAP network interface entry to /etc/network/interfaces just as you would any physical network card. Pay attention on network addresses, choose subnet which is NOT already used on your machine. For example:

Restart networking (/etc/init.d/networking restart) and you should see you new interface up. If not, first check if your "tun" kernel module is loaded or not (lsmod | grep tun).
The config above assumes you're using user informix to run the virtual networking infrastructure for all KVM related purposes. No need to use root privileges for this.

At the moment we only have a virtual network interface. To "wire" VMs together we need to make the interface seem like a network switch to them. This is were VDE software comes into play.

Start by adding user informix to the VDE group, vde2-net (you'll need root to do this):

To promote our qtap0 network interface to switch functionality its configuration must be updated with these lines:

This tells VDE to use qtap0 as its base interface.

Restart networking again and you should have a working "switch". If we now statically configure the networking in our virtual machines to use qtap0's IP address as their gateway we should be able to ping both the switch and between the machines.
Not bad, but also not much.

First, we don't want to go statically configuring networking for every new VM added. Second, to really use VMs as normal machines we want them connected to the Internet, but exposing them as little as we can to the outside world.

To achieve the first goal we'll use lightweight DHCP/DNS server "dnsmasq" on our host OS and make it listen on our virtual switch. Let's configure it (/etc/dnsmasq.conf). These are all config params you need to run it:

The excerpt above assumes the domain name of "kvm.internal" for all VMs.
To bind dnsmasq to our virtual switch we have to upgrade our qtap0 interface config again.

To achieve the second goal, Internet connection, further changes are required (the last ones, I promise :-)). Don't take/copy this blindly, see how it fits your security policies. It opens up NAT forwarding on your host OS.

So, the last addition to qtap0 interface in /etc/network/interfaces:

This assumes eth0 as your primary network interface on host OS.

The wiring should now be all configured. Let's use it. Assuming your VM image is kvm.img the command to startup the virtual machine in background with networking enabled is:

vdeq kvm -M pc -m 128 -boot c -net nic,macaddr=52:54:00:12:34:56 -net vde -hda kvm.img &

I find 128 MB of memory for VM enough to run both ER and HDR configured in IDS. The MAC address of the VM's network interface is explicitly specified because we'll setup dnsmasq to use them to assign IP's to VMs. Here is what you have to add to /etc/dnsmasq.conf for that:

This will assign both IP address (10.111.111.2) and hostname (kvm0) to your VM.
After a bit of VM network configuration of course :) which boils down to this:

• delete /etc/hostname file
• edit /etc/hosts to only provide localhost entries
• edit /etc/network/interfaces to configure Ethernet interface via DHCP

Restart networking in VM and that should be it.

Next entry will show one of the beauties of using VMs: copying an existing one, changing few bits and pieces and having another "server" up&running in 15 minutes.