How much of a security concern is virtuallization

michmoor

@bmeeks
I suppose its all comes down to what is the risk profile and the threat model derived.
Generally speaking, virtualizing a firewall isn't no more a security concern than virtualizing servers for dmz purposes.
How confident are you in the hypervisor? VMware for example, its safe to say there are very few concerns that it cant properly isolate guests.
Secondly, how confident are you in configuring the virtual appliance correctly? This is of course outside the threat scope of hypervisors but still.
As of today, 3/15/2024, there are no known risks to virtualizing a firewall short of improper design by an admin but that would have nothing to do with the technology itself. It would be like blaming pfsense on being accessed over the WAN because your management ports are accessible. Does that mean pfSense is an insecure firewall?

This is indeed a fantastic conversation of which we could have more of it in the future.

Gertjan

@MakOwner

While we all try to define what

How much of a security concern is virtuallization

I try to see this as a bucket full with well defined possible known items, and we're looking for the ones missing.
The eternal question is : do we have them all ?
Most items in the bucket are classified as the 'tools' we use.
But the biggest item is probably the one that observes the bucket : that's us, the one that is using the tools. I wouldn't be surprised that the most important security issue is : us.
We need a big bucket ^^

johnpoz

@JonathanLee said in How much of a security concern is virtuallization:

3rd party unknown container issues are the biggest problem in cyber security right now

Says who? The biggest threat to security, any sort of be it physical or cyber - Any and all types of security will always be the USER!! Period... You could have the best security on the planet, and a USER will find a way to screw it up..

Random text from unknown: We need your SSN, and 2FA auth key just sent to your phone to let you win a big prize!
user: Here you go!! Also for good measure my blood type is A+, how and when do I get my prize!

JonathanLee

@johnpoz our cyber security Professor told us the biggest issues right now are 3rd party containers because of the detection and mitigation issues, they can even self delete. It’s flat out invasive 3rd party containers. So today’s world they are becoming a huge issue and I personally agree. They are no joke they can and have been abused. Think about some getting inside the Windows RE partition for example, and or in a web cache. Think about how hard they are to scan for and remove and if you can’t do that how can you see what’s inside them or detect them on a network? Fingerprinting systems are decades behind where they should be, and other nation state actors know that. How can you mitigate that? You have had to use them and experiment around with containers by now right? I have I tested detection methods fingerprinting them, use a docker one with Kali on it and tried to run pf to fingerprint it while it was inside of a VM inside of a container on a host laptop to see if the firewall could see the fingerprint differences. I mean I really am into this stuff. The OS ACL options on the firewall really need an update. I have even tried to get FreeBSD to update them but it's a task to do that, it needs a team of people helping to supply the fingerprints for them.

Back the main post I personally like Hypervisor is supported more as Microsoft backs it, it works with Microsoft server also, but your running a firewall on a VM so bare metal or a detected appliance that runs multiple VMs like esxi VM ware does a lot of the support for those.

Think about white box set ups where you can push the VMs to all the white box systems at once too. VMs are amazing.

JonathanLee

@bmeeks I have 2 Tandy 102s Apple IIe, Macintosh SE and much more. My wife doesn’t like the horder tech tendencies I have

MakOwner

@michmoor

@michmoor said in How much of a security concern is virtuallization:

As of today, 3/15/2024, there are no known risks to virtualizing a firewall short of improper design by an admin but that would have nothing to do with the technology itself.

And there's where the biggest danger being me comes from.
Is there a STIG for hardening virtualized firewalls, pfsense in particular?

I tend to absorb a lot of information about subjects I'm interested in, but when it becomes chasing from document to document trying to figure the specific interplay between products..
My eyes quickly glaze over. And what I do pick up through brute force rarely sticks long anymore.
(You young guys will face this someday too, trust me.)

Finding end to end procedures for things like this just doesn't seem to be as straightforward as it once was.
I have no idea if that's just because things are that much more complicated, or there are just so many different permutations that one someone figures out their particular path ... it's just no longer shared.
Or maybe I'm not looking in the right places.

netblues

@provels said in How much of a security concern is virtuallization:

AWSAzure

Nobody seen that??

We get checkpoint on aws, fortigate on aws, pfsense on aws. All of them essentially virtualized.

As for the nuclear plant auditors. Well, if a simple kvm switch is a threat, how about supply chain exploits. Can they spell Solawinds?

bmeeks

@netblues said in How much of a security concern is virtuallization:

how about supply chain exploits. Can they spell Solawinds?

They have pages of rules about securing the supply chain to go along with everything else . The cyber rule in the Code of Federal Regulations takes up about 1/3 of a page of text. Their regulatory guideline for implementing that 1/3 page of text is 105 pages long. The actual plan we had to create and provide them describing how we secured things was several hundred pages in length.

I'm old school as I stated earlier, but I predict someone is going to eventually have a really bad day with cloud-based firewalls. Firewall vendors are out to sell what the market thinks it wants -- not necessarily to provide constructive cybersecurity advice.

stephenw10

Yeah when you consider 'cloud' based virtualisation a different set of concerns arise. Not least of which is that some malicious actor could be on the same host as the firewall.

NightlyShark

Just a thought, but I think that if any netgate product was to be put in the backbone of a bank's metro net, that would be TNSR... And, of course, not in a VM. And I say metro net, because I find it hard to imagine that any bank would use plain-old internet to VPN its internal systems.

Also, of course it's fine for the home / SO server (and family/security) net.

The problems and tradeoffs come when you find yourself somewhere in the middle. An accounting firm with 30+ employees, maybe? What to do there? I think bare-metal. Just for the ease of service. Box breaks, you get there with another box, install pfsense, maybe transfer some surviving hardware, download the config and all the while, nothing else broke. The same is true for all other mission-critical services. If you had set those systems as VMs in the same box, no matter how balling, if that one box gets a cold, oh mama.

On the other end of the scale, the server-farm scale, is where virtualization starts to make sense again, but not for firewalls. Rather for the 100's of different, ever changing workloads.

And a question, if you use PCIe passthrough (IOMMU or better) to pass a multiport NIC to PfSense, how can that be dangerous? You can even have the hypervisor off the net entirely.

starcodesystems

@MakOwner said in How much of a security concern is virtuallization:

@starcodesystems said in How much of a security concern is virtuallization:

I don't have a problem using ESXI for Pfsense.

Matter of fact, our UPS system at headend went down, INOP, at the same time the power company was switching over to LNG generators. We had about 3 months of hell with loss or power to the facility, sometimes 3, 4 times per day and in quick succession.

I'm also running Harmonic NMX system for DVB-T2 system which uses Windows 2000, and they said it can't be done. Here again, because of what it is, no other VM's are running on that server, and here again with all the power loss and rebooting, like i said sometimes, 2, 3 times a day, I have to take my hat off to Vmware and their hypervisor. No problems, no issues. Comes right back up and look, I actually have fingernails again!

And this is why I have a love/hate relationship with VMware.
I'm in an area with especially sketchy power -- I get as more over voltage spikes than we get power loss events. I and the delivery provider know why, they just haven't been sued enough to fix it <sigh>.
I'm a bigger threat to stability changing stuff in VMware than my hardware and filesystems are.

Backups, backups, backups and practice your recovery!

Hmm, we get that too, and we have replaced Laser Printer after Laser Printer, and Timeclock after Timeclock, until we put Furman AC-215A Compact Power Conditioner with Auto-Resetting Voltage Protection in the wall first, and then the UPS (not for Laser Printers) into the Furman. We have not had any issues at at since.

starcodesystems

@NightlyShark said in How much of a security concern is virtuallization:

Just a thought, but I think that if any netgate product was to be put in the backbone of a bank's metro net, that would be TNSR... And, of course, not in a VM. And I say metro net, because I find it hard to imagine that any bank would use plain-old internet to VPN its internal systems.

Also, of course it's fine for the home / SO server (and family/security) net.

The problems and tradeoffs come when you find yourself somewhere in the middle. An accounting firm with 30+ employees, maybe? What to do there? I think bare-metal. Just for the ease of service. Box breaks, you get there with another box, install pfsense, maybe transfer some surviving hardware, download the config and all the while, nothing else broke. The same is true for all other mission-critical services. If you had set those systems as VMs in the same box, no matter how balling, if that one box gets a cold, oh mama.

On the other end of the scale, the server-farm scale, is where virtualization starts to make sense again, but not for firewalls. Rather for the 100's of different, ever changing workloads.

And a question, if you use PCIe passthrough (IOMMU or better) to pass a multiport NIC to PfSense, how can that be dangerous? You can even have the hypervisor off the net entirely.

I think the Banks will use something like Cisco. I don't see then using anything like Pfsense or Vyos unless we're talking about Community Banks / Credit Unions. This 'big boys' know they're a target and risk analysis on past events, dictates their current and future policies, and they need a company that they can point their fingers at and know action will be taken and implemented across the entire industry, and they know Cisco is their guy, and IPv6 will point them straight to your NAT'less device MAC Address. They love it!

michmoor

@starcodesystems said in How much of a security concern is virtuallization:

I think the Banks will use something like Cisco. I don't see then using anything like Pfsense or Vyos unless we're talking about Community Banks / Credit Unions.

pfSense is used very heavily in U.S. government agencies and Amazon (warehouses).
That said, I see where you are coming from in that regard but it all depends on threat analysis. Maybe its a better fit for a Palo at a banking system because they generally don't mind that a firewall calls out to a vendors cloud to pull down updates/threat prevention sigs etc.. Other places are a bit more sensitive to what leaves their network and don't want a chatty firewall. Just all depends on what is the risk.

NightlyShark

@starcodesystems Hahaha, if only it was possible to hack a bank from home and have your mac be a concern these days... I miss those days, early 2000. 2002, when I got my first PC.

netblues

@NightlyShark

The thing is that banks don't dig and install dark fiber themselves. And even metro eth is still shared with other people.
What happens is segregation of control.
In critical systems, they rent (e.g.) an mpls vpn from a carrier. The carrier offers and maintains its own routers at the banks edge creating the vpn, and the bank has its own boxes , run by their own admins implementing their own vpn's on top of the carrier vpn.
And usually they opt for different vendors, so they dont get the same 0 day exploits.

Good luck with the packet size mtu though :)

netblues

@stephenw10 said in How much of a security concern is virtuallization:

Yeah when you consider 'cloud' based virtualisation a different set of concerns arise. Not least of which is that some malicious actor could be on the same host as the firewall.

Thankfully is very very difficult to know who your neighbors are.

JKnott

@starcodesystems said in How much of a security concern is virtuallization:

and IPv6 will point them straight to your NAT'less device MAC Address.

Only if you configure it that way. You can base your consistent address on either the MAC address or a random number. With SLAAC, random numbers are always used for outgoing connections.

NightlyShark

@JKnott Won't stop them from knowing the prefix, though.

JKnott

@NightlyShark

Yep, and each /64 contains 18.4 billion, billion addresses, so it will take a while to find something to attack.

NightlyShark

@JKnott Yeah, but, you ISP knows you have the whole prefix...