How secure and isolated are VMs?

[Patrick_3000]

I have SCALE installed on a server (ASRock Rack x570d4u-2L2T board and Ryzen 7 Pro 5750G CPU), mainly for data storage but also for VMs. Separately, I have a computer on an isolated subnet of my network that has Linux Mint installed that I'm using as a Nextcloud server, which means that it's public-facing, accessible through https from the public internet and port-forwarding via my OPNsense firewall.

I am considering migrating the Nextcloud server to a VM in SCALE, which would be more power efficient, but since it's open to https requests from the public internet, I'm somewhat leery of putting it on SCALE as a VM. If I do migrate the Nextcloud server to a SCALE VM, then I will put it on its own network adapter (not a bridge, but its own physical adapter) that's on a separate subnet from the SCALE server and other SCALE VMs.

Does anyone have any thoughts on how secure this would be? The reason I currently have the Nextcloud server isolated on a separate subnet and plan to keep it that way if I move it to a SCALE VM is to lower the attack surface since it's public facing. But if it's a SCALE VM and someone were to use some clever attack to breach Nextcloud security, could they then somehow hack into the rest of the SCALE server, including my datasets? Or are the VMs in SCALE isolated and secure enough that that's unlikely?

Incidentally, I realize that there's a Nextcloud app in SCALE, but I don't want to use it because my Nextcloud server is highly customized, and I'd like to keep it intact. I've done a trial run and verified that I can migrate it from physical hardware to a SCALE VM using Clonezilla, and that will allow me to keep all my data and settings intact.

 

[sretalla]

SCALE uses KVM as the hypervisor, so it's really just a question of vulnerabilities that may exist in that hypervisor.

Generally, it's not unheard of for hacks to be possible, but exploiting those is often very difficult if the guest and services it offers are well designed and appropriately patched.

I'd suggest a bit of research into KVM vulnerabilities and see if what you read on that topic is scary enough to stop you or not.

 

[Patrick_3000]

SCALE uses KVM as the hypervisor, so it's really just a question of vulnerabilities that may exist in that hypervisor.

Generally, it's not unheard of for hacks to be possible, but exploiting those is often very difficult if the guest and services it offers are well designed and appropriately patched.

I'd suggest a bit of research into KVM vulnerabilities and see if what you read on that topic is scary enough to stop you or not.

Thanks. That's a good suggestion. I don't understand much about security or hacking, but I did some quick research on KVM vulnerabilities, and while it seems there may be some chance of an intrusion beyond the guest VM, the more widespread problem appears to be denial of service attacks, which I think can be mitigated by giving the guest VM minimal resources--like only one CPU, one core, and one or two threads. I'm probably going to move forward.

 

[Whattteva]

Theoretically, VM virtualizes everything away from the host and runs its own kernel and users. That being said, it still runs on top of the host's kernel, so it is always a possibility that the VM can break out of that container through some vulnerabilities. You will never be able to achieve the same level of isolation as actual physical isolation (this should be obvious) with completely separate machines. But in theory, it should be good enough.