How much of a security concern is virtuallization

MakOwner

@stephenw10 I should have made more popcorn for this post :)
Now I get to ramble a bit ...

I have run various firewall products (predominantly pfsense because of some interesting things I can do with multiple ISP accounts that have been much harder for me with other products).

Almost all of them have run virtualized because it was just easier.
I have never run anything of interest or value behind them other than deskstops, some storage and a webserver with simple flat pages for my personal use when away from home.

Even if someone broke in, they weren't going to find anything of value short of 10+ year old hardware to to use as platform for something else.
Much better pickings elsewhere.

I have some domains that I have been carrying around with me for years -- one of them from way back when I got a domain name for a BBS I ran for e-mail/usenet/fidonet via k-band satellite.

I want to put them to use that will be a bit more high profile -- I want to set up a mail server and cloud storage for extended family and some select friends.

With those types of services exposed, I expect a bit more attention than the script-kiddie bots probing ssh ports and known vulnerabilities in webservers - thus my sudden concern with security.

I recently moved one of my setups from virtual to physical -- @stephenw10 answered a lot of questions around the recovery process and issues -- thank you @stephenw10 !
(Which was kind of embarrassing to be honest ... being the mechanic with the broken down car, so to speak :) Disaster recovery for enterprise has been my day job for ... well, a long time.)

In my case I run physical (now) for the account directly behind my seat while I work - the virtualized gateways are in another building, and I have a 10gb link between the buildings and the virtualized gateways are running on hardware with enterprise licensed iDRAC.
Once you get to iDRAC 8 or later ... it's very convenient and I have become very spoiled -- I can shutdown and start up the entire critical infrastructure from my desk.

I have a /29 from the ISP that serves that building.
5 functional static IPs on a fiber connection, unlike the previous ISP <cough>Frontier<cough> who couldn't provide a modem with bridge mode and the /29 was only 4 functional IPs...
(Sorry, rant over -- I said I was going to ramble!)

So... having rambled through all that ....

My plan is to set up a cloud server and a mail server on separate domains -- using pfsense as the firewall for each.
I'm trying to figure out the least risky way to do this, and at present my best hardware option is virtualization.
I'm currently using VMware 7, been using VMware for way longer than I'd care to admit, but I am by no means an SME on VMware
I have just shutdown an older ESXi server to load proxmox to begin a learning process... I'm sure everyone knows why.

With VMware and the hardware I have, I can pass through the NICs to the VMs.

Or, I can leave the virtualized and set up dedicated vSwitches - that's my current configuration.

Given that billboard of text and my reasons for doing this - anyone have input?
(Other than quit posting billboards.)

Edit: BTW... If everyone says run from virtualization ...
Although I don't see getting enough for all 5 IPs I can probably justify at least one more Supermicro X10SLH-N6-ST031, if I take the SO shopping...

stephenw10

@MakOwner said in How much of a security concern is virtuallization:

I should have made more popcorn for this post :)

Ha! Yup people have strong opinions.

Personally I would use a hardware firewall in front of a hypervisor cluster like that. Probably an HA pair of hardware firewalls if you need the uptime.

JonathanLee

You ever run Xenix on a VM …I have I love it, wish I could get the network card to work on it the virtual version of it. That’s where I am stuck. Yes off topic sorry

starcodesystems

I don't have a problem using ESXI for Pfsense.

Matter of fact, our UPS system at headend went down, INOP, at the same time the power company was switching over to LNG generators. We had about 3 months of hell with loss or power to the facility, sometimes 3, 4 times per day and in quick succession.

I ran Pfsense on bare metal hardware and that failed, so I used HP 360 server with ESXI 8 for Pfsense only. Installed pass through network cards, configured snapshots, etc, and I gotta tell you, that server and the hypervisor took it all in terms of random power loss and rebooting. No problem at all, and if Pfsense didn't boot, was an added benefit of being able to log into ESXI server, and startup PFsense or restore snapshot. However, the only VM was Pfsense so the full set of resources could be allocated.

I'm also running Harmonic NMX system for DVB-T2 system which uses Windows 2000, and they said it can't be done. Here again, because of what it is, no other VM's are running on that server, and here again with all the power loss and rebooting, like i said sometimes, 2, 3 times a day, I have to take my hat off to Vmware and their hypervisor. No problems, no issues. Comes right back up and look, I actually have fingernails again!

MakOwner

@JonathanLee
Never run it in a VM.

But I can also tell you about doing backups of an AS/400 on 16TPI reel to reel tapes.
System/1, System/36 and System/384 backups to floppies.
Data conversion of EBCIDIC to ASCII with packed fields.

Somewhat fun times.

I feel old all of a sudden.

MakOwner

@starcodesystems said in How much of a security concern is virtuallization:

I don't have a problem using ESXI for Pfsense.

Matter of fact, our UPS system at headend went down, INOP, at the same time the power company was switching over to LNG generators. We had about 3 months of hell with loss or power to the facility, sometimes 3, 4 times per day and in quick succession.

I'm also running Harmonic NMX system for DVB-T2 system which uses Windows 2000, and they said it can't be done. Here again, because of what it is, no other VM's are running on that server, and here again with all the power loss and rebooting, like i said sometimes, 2, 3 times a day, I have to take my hat off to Vmware and their hypervisor. No problems, no issues. Comes right back up and look, I actually have fingernails again!

And this is why I have a love/hate relationship with VMware.
I'm in an area with especially sketchy power -- I get as more over voltage spikes than we get power loss events. I and the delivery provider know why, they just haven't been sued enough to fix it <sigh>.
I'm a bigger threat to stability changing stuff in VMware than my hardware and filesystems are.

Backups, backups, backups and practice your recovery!

stephenw10

@MakOwner said in How much of a security concern is virtuallization:

I'm a bigger threat to stability changing stuff in VMware than my hardware and filesystems are.

Ha. Same!

MakOwner

@stephenw10
My first recovery test of the new setup went .... badly.
I'll start another thread for that.

JKnott

@MakOwner

I'd go with bare metal. The more software running on a box, the greater the security risk. VMs are fine for experimenting, but I wouldn't use one for production. I run pfSense on the miniPC described in my sig. There are plenty of inexpensive similar boxes available.

JonathanLee

@MakOwner that is amazing, I only recently started to play with FreeBSD jails and docker containers. They are fun to work play with Kali has a docker container for pen testing. My greatest fear is a container gets inside of my web caching proxy. So now it has max size limits to mediate that risk. 3rd party unknown container issues are the biggest problem in cyber security right now, you can't scan for them, they self delete when you find one, they can data marshal a network card, plus the only way to find them is to use OS fingerprinting, and that let's face it needs a massive update to work right. It's a big problem.

michmoor

@bmeeks
I suppose its all comes down to what is the risk profile and the threat model derived.
Generally speaking, virtualizing a firewall isn't no more a security concern than virtualizing servers for dmz purposes.
How confident are you in the hypervisor? VMware for example, its safe to say there are very few concerns that it cant properly isolate guests.
Secondly, how confident are you in configuring the virtual appliance correctly? This is of course outside the threat scope of hypervisors but still.
As of today, 3/15/2024, there are no known risks to virtualizing a firewall short of improper design by an admin but that would have nothing to do with the technology itself. It would be like blaming pfsense on being accessed over the WAN because your management ports are accessible. Does that mean pfSense is an insecure firewall?

This is indeed a fantastic conversation of which we could have more of it in the future.

Gertjan

@MakOwner

While we all try to define what

How much of a security concern is virtuallization

I try to see this as a bucket full with well defined possible known items, and we're looking for the ones missing.
The eternal question is : do we have them all ?
Most items in the bucket are classified as the 'tools' we use.
But the biggest item is probably the one that observes the bucket : that's us, the one that is using the tools. I wouldn't be surprised that the most important security issue is : us.
We need a big bucket ^^

johnpoz

@JonathanLee said in How much of a security concern is virtuallization:

3rd party unknown container issues are the biggest problem in cyber security right now

Says who? The biggest threat to security, any sort of be it physical or cyber - Any and all types of security will always be the USER!! Period... You could have the best security on the planet, and a USER will find a way to screw it up..

Random text from unknown: We need your SSN, and 2FA auth key just sent to your phone to let you win a big prize!
user: Here you go!! Also for good measure my blood type is A+, how and when do I get my prize!

JonathanLee

@johnpoz our cyber security Professor told us the biggest issues right now are 3rd party containers because of the detection and mitigation issues, they can even self delete. It’s flat out invasive 3rd party containers. So today’s world they are becoming a huge issue and I personally agree. They are no joke they can and have been abused. Think about some getting inside the Windows RE partition for example, and or in a web cache. Think about how hard they are to scan for and remove and if you can’t do that how can you see what’s inside them or detect them on a network? Fingerprinting systems are decades behind where they should be, and other nation state actors know that. How can you mitigate that? You have had to use them and experiment around with containers by now right? I have I tested detection methods fingerprinting them, use a docker one with Kali on it and tried to run pf to fingerprint it while it was inside of a VM inside of a container on a host laptop to see if the firewall could see the fingerprint differences. I mean I really am into this stuff. The OS ACL options on the firewall really need an update. I have even tried to get FreeBSD to update them but it's a task to do that, it needs a team of people helping to supply the fingerprints for them.

Back the main post I personally like Hypervisor is supported more as Microsoft backs it, it works with Microsoft server also, but your running a firewall on a VM so bare metal or a detected appliance that runs multiple VMs like esxi VM ware does a lot of the support for those.

Think about white box set ups where you can push the VMs to all the white box systems at once too. VMs are amazing.

JonathanLee

@bmeeks I have 2 Tandy 102s Apple IIe, Macintosh SE and much more. My wife doesn’t like the horder tech tendencies I have

MakOwner

@michmoor

@michmoor said in How much of a security concern is virtuallization:

As of today, 3/15/2024, there are no known risks to virtualizing a firewall short of improper design by an admin but that would have nothing to do with the technology itself.

And there's where the biggest danger being me comes from.
Is there a STIG for hardening virtualized firewalls, pfsense in particular?

I tend to absorb a lot of information about subjects I'm interested in, but when it becomes chasing from document to document trying to figure the specific interplay between products..
My eyes quickly glaze over. And what I do pick up through brute force rarely sticks long anymore.
(You young guys will face this someday too, trust me.)

Finding end to end procedures for things like this just doesn't seem to be as straightforward as it once was.
I have no idea if that's just because things are that much more complicated, or there are just so many different permutations that one someone figures out their particular path ... it's just no longer shared.
Or maybe I'm not looking in the right places.

netblues

@provels said in How much of a security concern is virtuallization:

AWSAzure

Nobody seen that??

We get checkpoint on aws, fortigate on aws, pfsense on aws. All of them essentially virtualized.

As for the nuclear plant auditors. Well, if a simple kvm switch is a threat, how about supply chain exploits. Can they spell Solawinds?

bmeeks

@netblues said in How much of a security concern is virtuallization:

how about supply chain exploits. Can they spell Solawinds?

They have pages of rules about securing the supply chain to go along with everything else . The cyber rule in the Code of Federal Regulations takes up about 1/3 of a page of text. Their regulatory guideline for implementing that 1/3 page of text is 105 pages long. The actual plan we had to create and provide them describing how we secured things was several hundred pages in length.

I'm old school as I stated earlier, but I predict someone is going to eventually have a really bad day with cloud-based firewalls. Firewall vendors are out to sell what the market thinks it wants -- not necessarily to provide constructive cybersecurity advice.

stephenw10

Yeah when you consider 'cloud' based virtualisation a different set of concerns arise. Not least of which is that some malicious actor could be on the same host as the firewall.

NightlyShark

Just a thought, but I think that if any netgate product was to be put in the backbone of a bank's metro net, that would be TNSR... And, of course, not in a VM. And I say metro net, because I find it hard to imagine that any bank would use plain-old internet to VPN its internal systems.

Also, of course it's fine for the home / SO server (and family/security) net.

The problems and tradeoffs come when you find yourself somewhere in the middle. An accounting firm with 30+ employees, maybe? What to do there? I think bare-metal. Just for the ease of service. Box breaks, you get there with another box, install pfsense, maybe transfer some surviving hardware, download the config and all the while, nothing else broke. The same is true for all other mission-critical services. If you had set those systems as VMs in the same box, no matter how balling, if that one box gets a cold, oh mama.

On the other end of the scale, the server-farm scale, is where virtualization starts to make sense again, but not for firewalls. Rather for the 100's of different, ever changing workloads.

And a question, if you use PCIe passthrough (IOMMU or better) to pass a multiport NIC to PfSense, how can that be dangerous? You can even have the hypervisor off the net entirely.