How much of a security concern is virtuallization

starcodesystems

@NightlyShark said in How much of a security concern is virtuallization:

Just a thought, but I think that if any netgate product was to be put in the backbone of a bank's metro net, that would be TNSR... And, of course, not in a VM. And I say metro net, because I find it hard to imagine that any bank would use plain-old internet to VPN its internal systems.

Also, of course it's fine for the home / SO server (and family/security) net.

The problems and tradeoffs come when you find yourself somewhere in the middle. An accounting firm with 30+ employees, maybe? What to do there? I think bare-metal. Just for the ease of service. Box breaks, you get there with another box, install pfsense, maybe transfer some surviving hardware, download the config and all the while, nothing else broke. The same is true for all other mission-critical services. If you had set those systems as VMs in the same box, no matter how balling, if that one box gets a cold, oh mama.

On the other end of the scale, the server-farm scale, is where virtualization starts to make sense again, but not for firewalls. Rather for the 100's of different, ever changing workloads.

And a question, if you use PCIe passthrough (IOMMU or better) to pass a multiport NIC to PfSense, how can that be dangerous? You can even have the hypervisor off the net entirely.

I think the Banks will use something like Cisco. I don't see then using anything like Pfsense or Vyos unless we're talking about Community Banks / Credit Unions. This 'big boys' know they're a target and risk analysis on past events, dictates their current and future policies, and they need a company that they can point their fingers at and know action will be taken and implemented across the entire industry, and they know Cisco is their guy, and IPv6 will point them straight to your NAT'less device MAC Address. They love it!

michmoor

@starcodesystems said in How much of a security concern is virtuallization:

I think the Banks will use something like Cisco. I don't see then using anything like Pfsense or Vyos unless we're talking about Community Banks / Credit Unions.

pfSense is used very heavily in U.S. government agencies and Amazon (warehouses).
That said, I see where you are coming from in that regard but it all depends on threat analysis. Maybe its a better fit for a Palo at a banking system because they generally don't mind that a firewall calls out to a vendors cloud to pull down updates/threat prevention sigs etc.. Other places are a bit more sensitive to what leaves their network and don't want a chatty firewall. Just all depends on what is the risk.

NightlyShark

@starcodesystems Hahaha, if only it was possible to hack a bank from home and have your mac be a concern these days... I miss those days, early 2000. 2002, when I got my first PC.

netblues

@NightlyShark

The thing is that banks don't dig and install dark fiber themselves. And even metro eth is still shared with other people.
What happens is segregation of control.
In critical systems, they rent (e.g.) an mpls vpn from a carrier. The carrier offers and maintains its own routers at the banks edge creating the vpn, and the bank has its own boxes , run by their own admins implementing their own vpn's on top of the carrier vpn.
And usually they opt for different vendors, so they dont get the same 0 day exploits.

Good luck with the packet size mtu though :)

netblues

@stephenw10 said in How much of a security concern is virtuallization:

Yeah when you consider 'cloud' based virtualisation a different set of concerns arise. Not least of which is that some malicious actor could be on the same host as the firewall.

Thankfully is very very difficult to know who your neighbors are.

JKnott

@starcodesystems said in How much of a security concern is virtuallization:

and IPv6 will point them straight to your NAT'less device MAC Address.

Only if you configure it that way. You can base your consistent address on either the MAC address or a random number. With SLAAC, random numbers are always used for outgoing connections.

NightlyShark

@JKnott Won't stop them from knowing the prefix, though.

JKnott

@NightlyShark

Yep, and each /64 contains 18.4 billion, billion addresses, so it will take a while to find something to attack.

NightlyShark

@JKnott Yeah, but, you ISP knows you have the whole prefix...

JKnott

@NightlyShark

And how much of a risk is that? I get 256 /64s from my ISP. They'd have to monitor your traffic to see what addresses are in use. How is that any different from them monitoring your IPv4 traffic? The risk is unlikely to come from your ISP. It's from someone else. With IPv4, it's easy to scan through the entire address range, looking for something to attack. The IPv6 address space is so sparsely populated, that would be a big waste of time. Remember, a single /64 contains as many addresses as the entire IPv4 address space squared!

NightlyShark

Dear @JKnott , read the conversation again... Specifically:

@NightlyShark said in How much of a security concern is virtuallization:

@starcodesystems Hahaha, if only it was possible to hack a bank from home and have your mac be a concern these days... I miss those days, early 2000. 2002, when I got my first PC.