How much of a security concern is virtuallization

michmoor

@starcodesystems said in How much of a security concern is virtuallization:

I think the Banks will use something like Cisco. I don't see then using anything like Pfsense or Vyos unless we're talking about Community Banks / Credit Unions.

pfSense is used very heavily in U.S. government agencies and Amazon (warehouses).
That said, I see where you are coming from in that regard but it all depends on threat analysis. Maybe its a better fit for a Palo at a banking system because they generally don't mind that a firewall calls out to a vendors cloud to pull down updates/threat prevention sigs etc.. Other places are a bit more sensitive to what leaves their network and don't want a chatty firewall. Just all depends on what is the risk.

NightlyShark

@starcodesystems Hahaha, if only it was possible to hack a bank from home and have your mac be a concern these days... I miss those days, early 2000. 2002, when I got my first PC.

netblues

@NightlyShark

The thing is that banks don't dig and install dark fiber themselves. And even metro eth is still shared with other people.
What happens is segregation of control.
In critical systems, they rent (e.g.) an mpls vpn from a carrier. The carrier offers and maintains its own routers at the banks edge creating the vpn, and the bank has its own boxes , run by their own admins implementing their own vpn's on top of the carrier vpn.
And usually they opt for different vendors, so they dont get the same 0 day exploits.

Good luck with the packet size mtu though :)

netblues

@stephenw10 said in How much of a security concern is virtuallization:

Yeah when you consider 'cloud' based virtualisation a different set of concerns arise. Not least of which is that some malicious actor could be on the same host as the firewall.

Thankfully is very very difficult to know who your neighbors are.

JKnott

@starcodesystems said in How much of a security concern is virtuallization:

and IPv6 will point them straight to your NAT'less device MAC Address.

Only if you configure it that way. You can base your consistent address on either the MAC address or a random number. With SLAAC, random numbers are always used for outgoing connections.

NightlyShark

@JKnott Won't stop them from knowing the prefix, though.

JKnott

@NightlyShark

Yep, and each /64 contains 18.4 billion, billion addresses, so it will take a while to find something to attack.

NightlyShark

@JKnott Yeah, but, you ISP knows you have the whole prefix...

JKnott

@NightlyShark

And how much of a risk is that? I get 256 /64s from my ISP. They'd have to monitor your traffic to see what addresses are in use. How is that any different from them monitoring your IPv4 traffic? The risk is unlikely to come from your ISP. It's from someone else. With IPv4, it's easy to scan through the entire address range, looking for something to attack. The IPv6 address space is so sparsely populated, that would be a big waste of time. Remember, a single /64 contains as many addresses as the entire IPv4 address space squared!

NightlyShark

Dear @JKnott , read the conversation again... Specifically:

@NightlyShark said in How much of a security concern is virtuallization:

@starcodesystems Hahaha, if only it was possible to hack a bank from home and have your mac be a concern these days... I miss those days, early 2000. 2002, when I got my first PC.