Does VMWARE defeat the purpose of PF Sense?
-
Geesus…..So you hack your way in from the bottom up? Once you have compromised the VM, then you get to the hardwarelayer of the VM. Where do you go from there?? I know you can compromise a Windows machine running Workstation/server VM, but that is a flaw in windows combined with VmWare tools. Patched allready by the way...
I am not saying it is all secure, but no one has pointed me in a direction where I can locate information regarding running PFSense in a VM and security flaws in VmWare. So maybe its your world that is flat....not mine. ;)
-
I just dont believe that a device/software application that is supposed to be securing a network or any device should be hosted in a VM. All that has to happen is the host OS be compromised then you can go after the files/programs on that OS including the VM.
Its not neccesarily pf that is the flaw but the vm software or host, you hack the host and you have access to all VMs and other software running on it plus the files.
Like Cry Havok said, there are ways to hack the hardware. which is why if you are running your wan and lan off a dual port card or have them in the same slot group (Each PCI slot is either a master or a slave and when in that mode act as a hub) you are putting yourself at risk. granted it is rare for the hardware attack but it is there. (Found this info with some googleing from various sources), the attack is similar to VLAN hopping.
I was going to do this and mount everything in a Tivo case but security is more important to me than space/convenience -
VLAN hopping….How would you say it compares to the scenario of running pfsense in a VM with untagged traffic on the physical switch??
-
I wasnt referring to a VM but to the hardware exploits of nics. Because on a dual nic or with cards that share the same bus (master/slave) one can go from the one nic to the other via a hardware hack/exploit, it is hard to do but is possible.
-
Yes but the NIC's belonging to the VM is virtual….and sitting on a virtual switch.
So again....you have to have access to the hardware on the console to get to the underlying host if not running Windows. The way ESX/i works, you cant communicate to the physical hardware via a VM. You have to gain access to a Vcenter server or the physical console.
That is why its usually run on a network with no outside access at all. You cant see the admin interface in the hardware for the VM. It is not connected to the same switch as outside traffic. Furthermore, in my case, all servers are handled by layer7 inspection when communicating internally. So even the internal traffic is analyzed :)
Currently I have no issues running PF in a VM on a hardened ESXi. I have had a lot of people trying to get in, but all have failed. PF does a very good job, and a very good thing about running PF in a VM, is that it allocates ressources on a need to basis. Therefore you wont be so vulnerable to DoS attacks and running out of ressources like you would on a physical machine.
I wasnt referring to a VM but to the hardware exploits of nics. Because on a dual nic or with cards that share the same bus (master/slave) one can go from the one nic to the other via a hardware hack/exploit, it is hard to do but is possible.
-
I say it all depends on how critical the data you're in charge of protecting is. If some exotic method of cracking into your data is enough to scare you away from sticking pfsense in a vm, then you are probably working with something worth spending some money on protecting that will give you "better" results.
If you're simple worried about someone gaining access to your systems and wreaking havoc, well you should have a solid backup / dr plan anyway :P.
Microsoft, Citrix, and VMWare aren't going to allow their virtualization products to run around wildly with known exploits unpatched and vulnerable. Speaking of patch management… well you can probably guess what I'd say.
-
Exactly…..:D
-
Well thanks guys. You all gave me a lot to read. :)
The server has nothing "business" critical on it. I'm basically just planning to build a file server at home so the whole family can access shared pics, music, and anything else I put on it. I've been thinking of a box with multiple Raid 1s on it (e.g. a raid for family photos, another for music/family videos, etc), but at the same time, this box will be a game server since I still have the occasional Lan party at home. And I will have multiple NICs on it.
So basically, this box will always be on, and since it will be, I figured why not also transform it into a dedicated firewall and ditch the wall I have in the DSL modem. pfSense is probably over kill, but since it will house important personal things on it, I figured why not give it a go.
I've been playing around with pfSense these past few days, and wow, does it have options!
-
Instead of running multiple RAID1's I would advice you to concider running RAID5 or RAID6 in hardware, much less overhead, in practice, just as good failure protection.
-
Nope…..Raid5 sucks on large drives....Raid10 is the optimal solution on the hardware. Raid1 if running on 2TB physical drives due to the 2TB LUN limit in VmWare.
-
Nope…..Raid5 sucks on large drives....Raid10 is the optimal solution on the hardware. Raid1 if running on 2TB physical drives due to the 2TB LUN limit in VmWare.
Indeed, however for those of us who are not used to SATA-drives in such a config (usually not supported) we usually have 146->300GB drives, and then a RAID5 is the most logical solution ;-)
-
Depending on hardware, 2TB is supported on most of the newer servers. :) But I know what you mean.
If storage is an issue, and most of the time it is, then Raid5 is useful. However VERY vulnerable to complete loss of data…..
Nope…..Raid5 sucks on large drives....Raid10 is the optimal solution on the hardware. Raid1 if running on 2TB physical drives due to the 2TB LUN limit in VmWare.
Indeed, however for those of us who are not used to SATA-drives in such a config (usually not supported) we usually have 146->300GB drives, and then a RAID5 is the most logical solution ;-)
-
Some very smart people have said ANY virtualization on x86 platforms is going to have security issues. Now they may be purely theoretical, but there's a fine line between theory and reality when you're betting important data on it.
I put in lots of firewalls. Mine are all openbsd. I have always been interested in this project though. Yes I have run pfsense in vm's to check it out.
But I'm simply not willing to put important perimeter security devices in vm's for production. I consider that a flawed approach to security. You will be much safer to run production firewalls on the metal.
-
Do you actually have a clue of what you are talking about here??
The short version, is your wrong….
The long one is here.
Some very smart people have said ANY virtualization on x86 platforms is going to have security issues. Now they may be purely theoretical, but there's a fine line between theory and reality when you're betting important data on it.
I put in lots of firewalls. Mine are all openbsd. I have always been interested in this project though. Yes I have run pfsense in vm's to check it out.
But I'm simply not willing to put important perimeter security devices in vm's for production. I consider that a flawed approach to security. You will be much safer to run production firewalls on the metal.
-
LOL
Well…I'm not going to read my resume but yes....I've been around the block.
Hey....you guys can do what you want. I'm just telling you I'm not crazy about running my perimeter security on a vm.
-
Hi Guys
regaring raid1. I lost more than 16 years movies at home loosing one of my HDD's. I now stick to raid5. Slower, but I can loose a drive and still rebuild the raid. Actually, lately (I run XBMC-LIVE) I decided it is cheep enough to build a duplicate machine and I use rsync (WHAT A UTILITY!) to sync the 2 systems. No more raid, only HDDS…Regarding VM's. I do not claim to be an expert, but I run 2 VM's in my business. It is a huge saving on resources and very stable (ESXi4.1) . I run various OS's over the configuration. I do see attemted break-ins, but never actually got one (that I know of ;))
My business is NPO of nature and every cent/sent needs to be turned over before spent. VM's did this for us.
I would also like to say (please don't slagg me on this) I run my live firewall on PFBeta2! It works and it works well. My previous solution (14 years old) was way more buggy than PFB2 and the trade-off worth it. I did get some break-ins on my previous FW, but so far, so good :)
Kind regards
Aubrey Kloppers -
The past few days I've been running my pfSense 2.0 in VirtualBox on a Windows 2008 R2 server housing 6 TB of important data. Now this is all personal stuff in my home, and I would never do this in production for any company at this point. But I wanted to point out that by not associating any protocols with my dedicated WAN network adapter that isolates my host OS (Windows 2008 R2) from the internet very effectively. I virtualized in order to save on electricity. For anyone wanting to do the same and has a windows based server or htpc and is also hurting on the electric bill…you may have had the same thought as me. That's why I wanted to put this out there. I've been working with computers a long time and this strikes me as a quick and simple enough solution for home use.
