Does VMWARE defeat the purpose of PF Sense?
-
I wasnt referring to a VM but to the hardware exploits of nics. Because on a dual nic or with cards that share the same bus (master/slave) one can go from the one nic to the other via a hardware hack/exploit, it is hard to do but is possible.
-
Yes but the NIC's belonging to the VM is virtual….and sitting on a virtual switch.
So again....you have to have access to the hardware on the console to get to the underlying host if not running Windows. The way ESX/i works, you cant communicate to the physical hardware via a VM. You have to gain access to a Vcenter server or the physical console.
That is why its usually run on a network with no outside access at all. You cant see the admin interface in the hardware for the VM. It is not connected to the same switch as outside traffic. Furthermore, in my case, all servers are handled by layer7 inspection when communicating internally. So even the internal traffic is analyzed :)
Currently I have no issues running PF in a VM on a hardened ESXi. I have had a lot of people trying to get in, but all have failed. PF does a very good job, and a very good thing about running PF in a VM, is that it allocates ressources on a need to basis. Therefore you wont be so vulnerable to DoS attacks and running out of ressources like you would on a physical machine.
I wasnt referring to a VM but to the hardware exploits of nics. Because on a dual nic or with cards that share the same bus (master/slave) one can go from the one nic to the other via a hardware hack/exploit, it is hard to do but is possible.
-
I say it all depends on how critical the data you're in charge of protecting is. If some exotic method of cracking into your data is enough to scare you away from sticking pfsense in a vm, then you are probably working with something worth spending some money on protecting that will give you "better" results.
If you're simple worried about someone gaining access to your systems and wreaking havoc, well you should have a solid backup / dr plan anyway :P.
Microsoft, Citrix, and VMWare aren't going to allow their virtualization products to run around wildly with known exploits unpatched and vulnerable. Speaking of patch management… well you can probably guess what I'd say.
-
Exactly…..:D
-
Well thanks guys. You all gave me a lot to read. :)
The server has nothing "business" critical on it. I'm basically just planning to build a file server at home so the whole family can access shared pics, music, and anything else I put on it. I've been thinking of a box with multiple Raid 1s on it (e.g. a raid for family photos, another for music/family videos, etc), but at the same time, this box will be a game server since I still have the occasional Lan party at home. And I will have multiple NICs on it.
So basically, this box will always be on, and since it will be, I figured why not also transform it into a dedicated firewall and ditch the wall I have in the DSL modem. pfSense is probably over kill, but since it will house important personal things on it, I figured why not give it a go.
I've been playing around with pfSense these past few days, and wow, does it have options!
-
Instead of running multiple RAID1's I would advice you to concider running RAID5 or RAID6 in hardware, much less overhead, in practice, just as good failure protection.
-
Nope…..Raid5 sucks on large drives....Raid10 is the optimal solution on the hardware. Raid1 if running on 2TB physical drives due to the 2TB LUN limit in VmWare.
-
Nope…..Raid5 sucks on large drives....Raid10 is the optimal solution on the hardware. Raid1 if running on 2TB physical drives due to the 2TB LUN limit in VmWare.
Indeed, however for those of us who are not used to SATA-drives in such a config (usually not supported) we usually have 146->300GB drives, and then a RAID5 is the most logical solution ;-)
-
Depending on hardware, 2TB is supported on most of the newer servers. :) But I know what you mean.
If storage is an issue, and most of the time it is, then Raid5 is useful. However VERY vulnerable to complete loss of data…..
Nope…..Raid5 sucks on large drives....Raid10 is the optimal solution on the hardware. Raid1 if running on 2TB physical drives due to the 2TB LUN limit in VmWare.
Indeed, however for those of us who are not used to SATA-drives in such a config (usually not supported) we usually have 146->300GB drives, and then a RAID5 is the most logical solution ;-)
-
Some very smart people have said ANY virtualization on x86 platforms is going to have security issues. Now they may be purely theoretical, but there's a fine line between theory and reality when you're betting important data on it.
I put in lots of firewalls. Mine are all openbsd. I have always been interested in this project though. Yes I have run pfsense in vm's to check it out.
But I'm simply not willing to put important perimeter security devices in vm's for production. I consider that a flawed approach to security. You will be much safer to run production firewalls on the metal.
-
Do you actually have a clue of what you are talking about here??
The short version, is your wrong….
The long one is here.
Some very smart people have said ANY virtualization on x86 platforms is going to have security issues. Now they may be purely theoretical, but there's a fine line between theory and reality when you're betting important data on it.
I put in lots of firewalls. Mine are all openbsd. I have always been interested in this project though. Yes I have run pfsense in vm's to check it out.
But I'm simply not willing to put important perimeter security devices in vm's for production. I consider that a flawed approach to security. You will be much safer to run production firewalls on the metal.
-
LOL
Well…I'm not going to read my resume but yes....I've been around the block.
Hey....you guys can do what you want. I'm just telling you I'm not crazy about running my perimeter security on a vm.
-
Hi Guys
regaring raid1. I lost more than 16 years movies at home loosing one of my HDD's. I now stick to raid5. Slower, but I can loose a drive and still rebuild the raid. Actually, lately (I run XBMC-LIVE) I decided it is cheep enough to build a duplicate machine and I use rsync (WHAT A UTILITY!) to sync the 2 systems. No more raid, only HDDS…Regarding VM's. I do not claim to be an expert, but I run 2 VM's in my business. It is a huge saving on resources and very stable (ESXi4.1) . I run various OS's over the configuration. I do see attemted break-ins, but never actually got one (that I know of ;))
My business is NPO of nature and every cent/sent needs to be turned over before spent. VM's did this for us.
I would also like to say (please don't slagg me on this) I run my live firewall on PFBeta2! It works and it works well. My previous solution (14 years old) was way more buggy than PFB2 and the trade-off worth it. I did get some break-ins on my previous FW, but so far, so good :)
Kind regards
Aubrey Kloppers -
The past few days I've been running my pfSense 2.0 in VirtualBox on a Windows 2008 R2 server housing 6 TB of important data. Now this is all personal stuff in my home, and I would never do this in production for any company at this point. But I wanted to point out that by not associating any protocols with my dedicated WAN network adapter that isolates my host OS (Windows 2008 R2) from the internet very effectively. I virtualized in order to save on electricity. For anyone wanting to do the same and has a windows based server or htpc and is also hurting on the electric bill…you may have had the same thought as me. That's why I wanted to put this out there. I've been working with computers a long time and this strikes me as a quick and simple enough solution for home use.
