2.2 on Hyper-V on Windows 8.1
-
Because I think it's foolish to run a firewall virtualized under a consumer-level OS. I'm coming from a corporate enterprise perspective, not home users, but even then I wouldn't think of doing that. You want as small an attack surface as you can manage. Best practice is to never connect the OS directly to the Internet. What you're doing is putting an OS with a long history of trading convenience for security directly on the wire. Any traffic to/from your end is going to be processed by the Windows TCP/IP stack first and then passed along to the virtualized NIC. It's like owning a nightclub and putting a bouncer in the bathroom; by the time the bouncer is aware of a problem, the problem is already in the club.
-
@KOM:
…Any traffic to/from your end is going to be processed by the Windows TCP/IP...
Not true. I dont find the correct link at the moment, but under Hyper-V, even the guest os (Windows 8 in this case) has no direct access to the NICs (like in Server 2012 R2 with Hyper-V)
WAN
|
Hyper-V
|
V-Switch
|
Guest OS + VMs -
Let;s just say that you are a braver man than I, and you have much more faith in Microsoft than I do.
-
@KOM:
Because I think it's foolish to run a firewall virtualized under a consumer-level OS. I'm coming from a corporate enterprise perspective, not home users, but even then I wouldn't think of doing that. You want as small an attack surface as you can manage. Best practice is to never connect the OS directly to the Internet. What you're doing is putting an OS with a long history of trading convenience for security directly on the wire. Any traffic to/from your end is going to be processed by the Windows TCP/IP stack first and then passed along to the virtualized NIC. It's like owning a nightclub and putting a bouncer in the bathroom; by the time the bouncer is aware of a problem, the problem is already in the club.
im a 1000% with you on this. now running a VM under ESXi is different as theres nothing more than the hypervisor there . with Microsoft you have a Huge Gapping hole to be attacked.
I also are in Corporate enterprise sector. we have a policy that states "NO Windows Operating systems shall be used on ANY server that has internet services running on it PERIOD"
-
Of course there's nothing wrong with using pfSense in a vm to firewall the other vms.
I agree though Windows is not a great host OS for a firewall. However it looks like you're running Windows as a server rather than a desktop in which case why not use a real hypervisor, like ESXi, and run both Windows and pfSense as VMs.Steve
-
@SunCatalyst:
@KOM:
Because I think it's foolish to run a firewall virtualized under a consumer-level OS. I'm coming from a corporate enterprise perspective, not home users, but even then I wouldn't think of doing that. You want as small an attack surface as you can manage. Best practice is to never connect the OS directly to the Internet. What you're doing is putting an OS with a long history of trading convenience for security directly on the wire. Any traffic to/from your end is going to be processed by the Windows TCP/IP stack first and then passed along to the virtualized NIC. It's like owning a nightclub and putting a bouncer in the bathroom; by the time the bouncer is aware of a problem, the problem is already in the club.
im a 1000% with you on this. now running a VM under ESXi is different as theres nothing more than the hypervisor there . with Microsoft you have a Huge Gapping hole to be attacked.
I also are in Corporate enterprise sector. we have a policy that states "NO Windows Operating systems shall be used on ANY server that has internet services running on it PERIOD"
that's actually an incorrect statement. you could just as easily run hyper-v server (which would be the same as esxi). additionally, you could even run server core which would still minimize the surface attack footprint.
-
Exactly.
I went to hardware from Hyper-V and ESXi but just because I got myself pretty little Atom box with 4 nics in it :)When this box dies, pfSense goes directly to Hyper-V server (2012 R2).
It is the same as ESXi, real hypervisor and when you lock it down its just as secure as ESXi… -
@SunCatalyst:
@KOM:
Because I think it's foolish to run a firewall virtualized under a consumer-level OS. I'm coming from a corporate enterprise perspective, not home users, but even then I wouldn't think of doing that. You want as small an attack surface as you can manage. Best practice is to never connect the OS directly to the Internet. What you're doing is putting an OS with a long history of trading convenience for security directly on the wire. Any traffic to/from your end is going to be processed by the Windows TCP/IP stack first and then passed along to the virtualized NIC. It's like owning a nightclub and putting a bouncer in the bathroom; by the time the bouncer is aware of a problem, the problem is already in the club.
im a 1000% with you on this. now running a VM under ESXi is different as theres nothing more than the hypervisor there . with Microsoft you have a Huge Gapping hole to be attacked.
I also are in Corporate enterprise sector. we have a policy that states "NO Windows Operating systems shall be used on ANY server that has internet services running on it PERIOD"
No, the real hypervisor in Win Server 2012R2 or Win 8.1 (which is technical the same) is more or less similar to ESXi. May be that in the microsoft network is somewhere a bug, may be in the ESXi too? Many thousands of Microsoft webserver are directly connected to the internet, a much more point of interest than my home server.
-
Don't make the mistake of thinking that just because your server has nothing interesting on it it will be any lesser target. The vast majority of hack attempts are automated bots that don't care what's on your network.
Steve
-
I did some reading as my knowledge of Hyper-V was based on older 2008/2012. I was surprised to find that MS closed the gap with VMware by making the Hyper-V layer the base layer (when installed) and then running Windows Server as a Parent VM on top of that.
The one thing that did jump out at me was that Hyper-V on Server 2012 R2 is NOT the same as client Hyper-V on Win 8.1 - not even close. Server Hyper-V is the actual Type 1 hypervisor layer with Parent VM OS on top of that, similar to VMware ESXi. Client Hyper-V is Type 2 with a Windows base OS and then MS's Virtual PC layered on top of that, similar to VMware Workstation.
Unless OP is short on hardware, I would recommend that he install Windows Server 2012 R2 if he wants to run pfSense under Hyper-V.
-
@KOM:
..Client Hyper-V is Type 2 with a Windows base OS and then MS's Virtual PC layered on top of that, similar to VMware Workstation.
Unless OP is short on hardware, I would recommend that he install Windows Server 2012 R2 if he wants to run pfSense under Hyper-V.
I'm 99,9 % certain that Client Hyper-V is also type 1 (Win8+/Srv2012+)
As a side note, there is also a free windows hypervisor called "Hyper-V Server 2012 R2)
-
I'm no expert on this and I agree things seem to have moved forward since I was last paying attention. Hyper-V server appears to be at least type 1-ish although it's built with Windows components. However the versions built into Windows OS appear less so.
@http://en.wikipedia.org/wiki/Hyper-V:A hypervisor instance has to have at least one parent partition, running a supported version of Windows Server (2008, 2008 R2, or 2012). The virtualization stack runs in the parent partition and has direct access to the hardware devices.
If the OS running in the parent partition has access to the hardware directly it still represents an attack surface no?
If I were doing this I'd choose another hypervisor or at least use the Hyper-V server variant.
Steve
-
@KOM:
..Client Hyper-V is Type 2 with a Windows base OS and then MS's Virtual PC layered on top of that, similar to VMware Workstation.
Unless OP is short on hardware, I would recommend that he install Windows Server 2012 R2 if he wants to run pfSense under Hyper-V.
I'm 99,9 % certain that Client Hyper-V is also type 1 (Win8+/Srv2012+)
As a side note, there is also a free windows hypervisor called "Hyper-V Server 2012 R2)
Yes, HyperV on Server 2012r2 and Win 8.1 are a type 1 hypervisor and are not the same as Vmware Workstation, which is similar to Virtualbox or the former MS-VirtualPC, all classic type 2 hypervisors. HyperV is similar to ESXi.
For sure if an application, which runs on my homeserver has a security hole, a bot can enter my network. But I see no difference, whether I run it on a different PC or on my homeserver, the bot is also able to enter and doing all the bad things he want to do.The advantage of the free Hyper-V Server 2012 R2 is, that it uses less resources and has more build in utilities for managing the VMs, but i am satisfied with the Win 8.1 Tools and resources I have more than enough.
-
Yes, HyperV on Server 2012r2 and Win 8.1 are a type 1 hypervisor…
This statement is a contradiction.
AFAIK the definition of a type 1 hypervisor is that it is the OS and runs on bare metal without any host OS. Therefore a type 1 hypervisor doesn't run ON Server 2012r2, Win 8.1 or any other host OS.
-
That same wiki link lists hyper-v as a type 1.
All systems have a host os (esxi kernel is linux) just nobody wants to call is an OS. :) -
@P3R:
Yes, HyperV on Server 2012r2 and Win 8.1 are a type 1 hypervisor…
This statement is a contradiction.
AFAIK the definition of a type 1 hypervisor is that it is the OS and runs on bare metal without any host OS. Therefore a type 1 hypervisor doesn't run ON Server 2012r2, Win 8.1 or any other host OS.
Wrong, ESXi is a Linux derivative, thats why you need ESXi drivers to run your diskcontroller, raid, etc…
-
Hyper-V IS type 1 hypervisor and it is exactly the same thing as ESXi as far as TYPE is concerned…
My Hyper-V is locked down completley and it is just secure as any other ESX box.
I used ESXi for many years bt now I`m on Hyper-v 3 years already.Stop bullshitting about ESXi being more secure than Hyper-V it is a matter of configuration and admin decisions...
I`ve seen ESX boxes with port 22 being available on the net, U/P root/toor, root/root combos etc...And yes, do not install pfsense on Win 8.1 hypervisor, use 2012 R2 for that.
And no, I`m not a MS fan I just try to combine best of the 3 worlds (MS, *nix and BSD).My 2 cents.
-
@P3R:
Yes, HyperV on Server 2012r2 and Win 8.1 are a type 1 hypervisor…
This statement is a contradiction.
AFAIK the definition of a type 1 hypervisor is that it is the OS and runs on bare metal without any host OS. Therefore a type 1 hypervisor doesn't run ON Server 2012r2, Win 8.1 or any other host OS.
All I`m gonna say to this statement is a big fat LOL.
ESXi uses vmkernel for it`s OS. ESXi vmkernel IS NOT LINUX BASED.
-
That same wiki link lists hyper-v as a type 1.
I have no problem with that and it wasn't what I argued. I'm neither a MS fanboy nor a basher.
What is problematic to me is when someone think it is important to make distinctions between type 1 and type 2 hypervisors, claiming that one product is of a certain type and at the same time saying things being in total opposition with the very definition (known to me) of how hypervisors are grouped into types. I just pointed at the contradiction and flawed logic in that statement.
-
I'm 99,9 % certain that Client Hyper-V is also type 1 (Win8+/Srv2012+)
Yes, you are right. I read some more incorrect information.
