How much of a security concern is virtuallization

JonathanLee

@bmeeks I have 2 Tandy 102s Apple IIe, Macintosh SE and much more. My wife doesn’t like the horder tech tendencies I have

MakOwner

@michmoor

@michmoor said in How much of a security concern is virtuallization:

As of today, 3/15/2024, there are no known risks to virtualizing a firewall short of improper design by an admin but that would have nothing to do with the technology itself.

And there's where the biggest danger being me comes from.
Is there a STIG for hardening virtualized firewalls, pfsense in particular?

I tend to absorb a lot of information about subjects I'm interested in, but when it becomes chasing from document to document trying to figure the specific interplay between products..
My eyes quickly glaze over. And what I do pick up through brute force rarely sticks long anymore.
(You young guys will face this someday too, trust me.)

Finding end to end procedures for things like this just doesn't seem to be as straightforward as it once was.
I have no idea if that's just because things are that much more complicated, or there are just so many different permutations that one someone figures out their particular path ... it's just no longer shared.
Or maybe I'm not looking in the right places.

netblues

@provels said in How much of a security concern is virtuallization:

AWSAzure

Nobody seen that??

We get checkpoint on aws, fortigate on aws, pfsense on aws. All of them essentially virtualized.

As for the nuclear plant auditors. Well, if a simple kvm switch is a threat, how about supply chain exploits. Can they spell Solawinds?

bmeeks

@netblues said in How much of a security concern is virtuallization:

how about supply chain exploits. Can they spell Solawinds?

They have pages of rules about securing the supply chain to go along with everything else . The cyber rule in the Code of Federal Regulations takes up about 1/3 of a page of text. Their regulatory guideline for implementing that 1/3 page of text is 105 pages long. The actual plan we had to create and provide them describing how we secured things was several hundred pages in length.

I'm old school as I stated earlier, but I predict someone is going to eventually have a really bad day with cloud-based firewalls. Firewall vendors are out to sell what the market thinks it wants -- not necessarily to provide constructive cybersecurity advice.

stephenw10

Yeah when you consider 'cloud' based virtualisation a different set of concerns arise. Not least of which is that some malicious actor could be on the same host as the firewall.

NightlyShark

Just a thought, but I think that if any netgate product was to be put in the backbone of a bank's metro net, that would be TNSR... And, of course, not in a VM. And I say metro net, because I find it hard to imagine that any bank would use plain-old internet to VPN its internal systems.

Also, of course it's fine for the home / SO server (and family/security) net.

The problems and tradeoffs come when you find yourself somewhere in the middle. An accounting firm with 30+ employees, maybe? What to do there? I think bare-metal. Just for the ease of service. Box breaks, you get there with another box, install pfsense, maybe transfer some surviving hardware, download the config and all the while, nothing else broke. The same is true for all other mission-critical services. If you had set those systems as VMs in the same box, no matter how balling, if that one box gets a cold, oh mama.

On the other end of the scale, the server-farm scale, is where virtualization starts to make sense again, but not for firewalls. Rather for the 100's of different, ever changing workloads.

And a question, if you use PCIe passthrough (IOMMU or better) to pass a multiport NIC to PfSense, how can that be dangerous? You can even have the hypervisor off the net entirely.

starcodesystems

@MakOwner said in How much of a security concern is virtuallization:

@starcodesystems said in How much of a security concern is virtuallization:

I don't have a problem using ESXI for Pfsense.

Matter of fact, our UPS system at headend went down, INOP, at the same time the power company was switching over to LNG generators. We had about 3 months of hell with loss or power to the facility, sometimes 3, 4 times per day and in quick succession.

I'm also running Harmonic NMX system for DVB-T2 system which uses Windows 2000, and they said it can't be done. Here again, because of what it is, no other VM's are running on that server, and here again with all the power loss and rebooting, like i said sometimes, 2, 3 times a day, I have to take my hat off to Vmware and their hypervisor. No problems, no issues. Comes right back up and look, I actually have fingernails again!

And this is why I have a love/hate relationship with VMware.
I'm in an area with especially sketchy power -- I get as more over voltage spikes than we get power loss events. I and the delivery provider know why, they just haven't been sued enough to fix it <sigh>.
I'm a bigger threat to stability changing stuff in VMware than my hardware and filesystems are.

Backups, backups, backups and practice your recovery!

Hmm, we get that too, and we have replaced Laser Printer after Laser Printer, and Timeclock after Timeclock, until we put Furman AC-215A Compact Power Conditioner with Auto-Resetting Voltage Protection in the wall first, and then the UPS (not for Laser Printers) into the Furman. We have not had any issues at at since.

starcodesystems

@NightlyShark said in How much of a security concern is virtuallization:

Just a thought, but I think that if any netgate product was to be put in the backbone of a bank's metro net, that would be TNSR... And, of course, not in a VM. And I say metro net, because I find it hard to imagine that any bank would use plain-old internet to VPN its internal systems.

Also, of course it's fine for the home / SO server (and family/security) net.

The problems and tradeoffs come when you find yourself somewhere in the middle. An accounting firm with 30+ employees, maybe? What to do there? I think bare-metal. Just for the ease of service. Box breaks, you get there with another box, install pfsense, maybe transfer some surviving hardware, download the config and all the while, nothing else broke. The same is true for all other mission-critical services. If you had set those systems as VMs in the same box, no matter how balling, if that one box gets a cold, oh mama.

On the other end of the scale, the server-farm scale, is where virtualization starts to make sense again, but not for firewalls. Rather for the 100's of different, ever changing workloads.

And a question, if you use PCIe passthrough (IOMMU or better) to pass a multiport NIC to PfSense, how can that be dangerous? You can even have the hypervisor off the net entirely.

I think the Banks will use something like Cisco. I don't see then using anything like Pfsense or Vyos unless we're talking about Community Banks / Credit Unions. This 'big boys' know they're a target and risk analysis on past events, dictates their current and future policies, and they need a company that they can point their fingers at and know action will be taken and implemented across the entire industry, and they know Cisco is their guy, and IPv6 will point them straight to your NAT'less device MAC Address. They love it!

michmoor

@starcodesystems said in How much of a security concern is virtuallization:

I think the Banks will use something like Cisco. I don't see then using anything like Pfsense or Vyos unless we're talking about Community Banks / Credit Unions.

pfSense is used very heavily in U.S. government agencies and Amazon (warehouses).
That said, I see where you are coming from in that regard but it all depends on threat analysis. Maybe its a better fit for a Palo at a banking system because they generally don't mind that a firewall calls out to a vendors cloud to pull down updates/threat prevention sigs etc.. Other places are a bit more sensitive to what leaves their network and don't want a chatty firewall. Just all depends on what is the risk.

NightlyShark

@starcodesystems Hahaha, if only it was possible to hack a bank from home and have your mac be a concern these days... I miss those days, early 2000. 2002, when I got my first PC.

netblues

@NightlyShark

The thing is that banks don't dig and install dark fiber themselves. And even metro eth is still shared with other people.
What happens is segregation of control.
In critical systems, they rent (e.g.) an mpls vpn from a carrier. The carrier offers and maintains its own routers at the banks edge creating the vpn, and the bank has its own boxes , run by their own admins implementing their own vpn's on top of the carrier vpn.
And usually they opt for different vendors, so they dont get the same 0 day exploits.

Good luck with the packet size mtu though :)

netblues

@stephenw10 said in How much of a security concern is virtuallization:

Yeah when you consider 'cloud' based virtualisation a different set of concerns arise. Not least of which is that some malicious actor could be on the same host as the firewall.

Thankfully is very very difficult to know who your neighbors are.

JKnott

@starcodesystems said in How much of a security concern is virtuallization:

and IPv6 will point them straight to your NAT'less device MAC Address.

Only if you configure it that way. You can base your consistent address on either the MAC address or a random number. With SLAAC, random numbers are always used for outgoing connections.

NightlyShark

@JKnott Won't stop them from knowing the prefix, though.

JKnott

@NightlyShark

Yep, and each /64 contains 18.4 billion, billion addresses, so it will take a while to find something to attack.

NightlyShark

@JKnott Yeah, but, you ISP knows you have the whole prefix...

JKnott

@NightlyShark

And how much of a risk is that? I get 256 /64s from my ISP. They'd have to monitor your traffic to see what addresses are in use. How is that any different from them monitoring your IPv4 traffic? The risk is unlikely to come from your ISP. It's from someone else. With IPv4, it's easy to scan through the entire address range, looking for something to attack. The IPv6 address space is so sparsely populated, that would be a big waste of time. Remember, a single /64 contains as many addresses as the entire IPv4 address space squared!

NightlyShark

Dear @JKnott , read the conversation again... Specifically:

@NightlyShark said in How much of a security concern is virtuallization:

@starcodesystems Hahaha, if only it was possible to hack a bank from home and have your mac be a concern these days... I miss those days, early 2000. 2002, when I got my first PC.