Just a firewall, in hardware.
-
…
@P3R:You come back to this all the time. I don't think virtualization is unsecure when it works exactly the way it was designed and documented. I only worry about when it doesn't…
That's what I'm wondering, how could it not work properly? I've been using it for years and never noticed any issues; what type of problems concern you? I would think that anything that bugged out would result in a blue screen/reboot or simply a crash of the network before anything else. Most of these virtualization technologies are deployed in scales far beyond the breadth of what the hobbyist/prosumer could ever remotely afford, all across the world. If there were problems we likely wouldn't be the first ones to find them.
Part of what makes vulnerabilities so hard to find is that when software is used as originally intended by the authors the vulnerability is not evident. Black hats, if the code is closed-source, can interrogate software with invalid inputs or unexpected situations not anticipated by the developers and get behavior which is outside the scope a normal user would encounter. If it's open source, they can do their own code review and look for vulnerabilities, but IMO open source is less likely to be vulnerable simply because more people are watching anything with critical exposure.
One simple example is when a simple web form is put up, a user can inject sql into a text field and have that sql execute against the database if proper care was not taken to prevent it. A normal user won't even think of trying something like that, but somebody with bad intent certainly would be interested.
What's on the list of CVEs doesn't bother me, it's what's not on the list.
-
It's not so much comcast "saving" me, it's just that there's no internet traffic allowed as I don't pay for multiple IP addresses.
It was you that started this part of the discussion by asking what others saw as potential issues with virtualizing firewalls and yet you keep referring to very specific things about your situation, that you think makes you safe from all possible adminstrative mistakes.
I don't believe that you're totally invulnerable from the consequences of your mistakes but I'm not smart enough to think about every different misconfiguration in all scenarios, so I can't give you a detailed example of when it could be dangerous.
Let's just say that for most of the rest of the world, human errors is one of the risks and with a virtualized firewall that risk is higher than with dedicated hardware.
…what type of problems concern you?
I've told you several times now and I'm sorry but I don't think you will get it any better if I tell you the same things again. I think we have to accept that we don't understand each other.
-
So getting back to my intent with my network:
Great!
I'm sorry for adding to the off-topic part but in the beginning I really thought it could be an interesting addition to the discussion. I was wrong. :-[
[quote]The c2758 does NOT have VT-d support…I gave you my point of view and recommendations for better solutions in my first post to the thread.…it's my belief that two separate firewalls are more secure than a single firewall.
Yes that is a valid point but normally you would then want two firewalls of different origin to minimize the risk that they share the same vulnerabilities. Even if we like pfSense, you'd lose much of the two-firewalls-in-a-row-advantage if both are the same. Maybe a true appliance type of firewall could be better as your first level of defense then? You'd have plenty to choose from at whatever price level you feel is acceptable.
-
Part of what makes vulnerabilities so hard to find is that when software is used as originally intended by the authors the vulnerability is not evident. Black hats, if the code is closed-source, can interrogate software with invalid inputs or unexpected situations not anticipated by the developers and get behavior which is outside the scope a normal user would encounter. If it's open source, they can do their own code review and look for vulnerabilities, but IMO open source is less likely to be vulnerable simply because more people are watching anything with critical exposure.
One simple example is when a simple web form is put up, a user can inject sql into a text field and have that sql execute against the database if proper care was not taken to prevent it. A normal user won't even think of trying something like that, but somebody with bad intent certainly would be interested.
What's on the list of CVEs doesn't bother me, it's what's not on the list.
I realize and appreciate that you're being informative and attempting to help me understand, but I already know what sql injection attacks are and how to program stored procedures specifically to avoid them. I also know how VT-x and VT-d both work. However, I don't know everything, far from it. That being said, I seem to be outnumbered, so I'll just finish up with a final post or two and let the thread get back to its original topic of your hardware. I do agree that there are chances to introduce bugs and vulnerabilities by using a virtualized platform, though I also feel that the bugs and vulnerabilities are so few and far between and non-businesses are such a non-target that the risk increase is absolutely minuscule. With my (admittedly limited) knowledge, I feel that the hypervisors are insulated enough from the network layer of the WAN, that any bugs that should be concerning are much more likely to happen with exposed services than the hypervisor. What I mean is that my vent or web server are MASSIVELY more likely to be targeted for vulnerabilities than the rather obscure surface area of a hyper-v virtual adapter that's insulated against the host OS being exposed to the WAN.
Do you guys not have exposed services? I keep mine to an absolute minimum, but most networks have something exposed. I VLAN them off to a separate network before anyone tries to explain that to me.
-
It was you that started this part of the discussion by asking what others saw as potential issues with virtualizing firewalls and yet you keep referring to very specific things about your situation, that you think makes you safe from all possible adminstrative mistakes.
I don't believe that you're totally invulnerable from the consequences of your mistakes but I'm not smart enough to think about every different misconfiguration in all scenarios, so I can't give you a detailed example of when it could be dangerous.
This is true, I pointed out specifics for my circumstances. There is always a chance of operator error with anything, and I will concede that adding a layer such as virtualization adds to those chances, however minimally. I will contend that this type of situation is a set-it-and-forget-it situation for most people, and that configuration issues can occur anywhere and everywhere.
I've told you several times now and I'm sorry but I don't think you will get it any better if I tell you the same things again. I think we have to accept that we don't understand each other.
I've asked for some specific examples of what you feel might go wrong, something like "the hardware abstraction layer might break" or something, but you've just said "bugs," "user error," or "possible vulnerabilities." My point is that there are potential vulnerabilities in everything, but if you're THAT afraid of bugs/vulnerabilities you're always going to have reasons to not use something. The very essence of hyper-v is the restriction of virtual machines and networks, it's inherent in the very function of how vswitches work. At this point you can point to openssl and heartbleed and say that things designed for protection can fail too, to which I would say that, in the event that this does become an issue, you will be so far down the totem pole in terms of people to attack you wouldn't be able to be seen imo. 99% of the stuff that hits my firewall is attempts to connect to an unsecure/barely secured SSH server or an exposed SQL database using the SA user, of which I'm fairly certain all of it is automated by a script just scouring the internet. I worked at an MSP that had its own data center for 6 years while I was in high school and college. They had exactly one instance of someone getting hacked, and when we looked into it, it was because their webserver administrator password was "password." That was far less destructive than the genius they hired who tried to format his ipod on a client's server, and ended up wiping the entire server, but that's a different story.
Yes that is a valid point but normally you would then want two firewalls of different origin to minimize the risk that they share the same vulnerabilities. Even if we like pfSense, you'd lose much of the two-firewalls-in-a-row-advantage if both are the same. Maybe a true appliance type of firewall could be better as your first level of defense then? You'd have plenty to choose from at whatever price level you feel is acceptable.
If you're going to get to this point, you might as well make sure that the NICs are different brands, just incase there's some sort of firmware issue that could be exploited. You should also make sure you use different ECC RAM modules for them incase they're susceptible to bit flipping attacks. Also different processor brands incase A feature on one of them could be exploited
-
@P3R,
I'm still looking at options for hardware, and using some of your recommendations as starting points.
My outer firewall will probably be Linux. It's something I know, and I can compile a kernel with almost all the features removed and throw together an insanely small flash card image with nothing on it which is unnecessary. I can script the install to a flash card, and software updates would be swapping out the flash card.
This way there won't even be any support for features I don't want, and no way to instigate a connection from that box inward.
I posted all that because it seems you don't understand it, or maybe it's just the nature of vulnerabilities. You don't anticipate where a future bug or vulnerability might be. If you knew where to look, someone could just pay more attention to that bit of code and everything would be cool.
Anything which is designed by a human can and probably does have faults. Our minds are not all-encompassing, and if a scenario comes up we hadn't thought of, then it's extremely possible that our hardware or software is lacking.
I really don't think the "small target" theory holds much water. If nothing else, attackers are interested in a new place to attack from, even if my computers don't hold any data they're interested in. And you can't anticipate the reasoning for what a black hat does either. The NSA is looking for intelligence it can use for fulfillment of its mission, and probably people who work there have a few of their own personal interests as well, who knows? Some guys want your money, some guys want your identity, some guys want to break anything they can touch, and some guys are after information of a different sort.
The universe we don't know is much bigger than the one we know. I intend to do what I can about the things I know, and account for as much that I don't know as I'm able.
-
Since you already have the knowledge, the Linux approach is perfect. If you search this forum you will find many suggestions of non-expensive hardware that should be adequate even for high speeds if necessary, considering the fairly simple task your outer firewall will have.
-
OP, it sounds like you know what you want, so I apologize for derailing this topic with conjecture. I'm curious as to what you plan to run on this appliance; in your first post you mention you want logging incase there's "something fishy" going on. Does that include packet filtering on the gigabit internet connection? It sounds like you'll need something ITX size atleast if you plan on being prepared for 10GB , do you have any size preferences or sound preferences?
I'm not good at picking out appliances-like devices, but it may help some other people offer suggestions
-
I have a very specific idea of what I want to do, but I'm terrible at picking hardware. Which is why I started this thread.
The 10gbps nic isn't actually planned, but it would be nice to have something that could handle it. Thinking about it now, I should remove that as a requirement because I think it automatically bumps me up in price beyond any reasonable over-sizing of a gigabit connection.
I would prefer ecc-capable hardware though, which I don't think I added to my original spec.
Logging: My intent is a read-only boot for the outside firewall. Perhaps even dhcp-boot, and maintain the image on a server inside. Logging would necessarily be abbreviated so it can fit inside of a gigabit line. I guess that could technically be a reason for a third nic.
-
I have a very specific idea of what I want to do, but I'm terrible at picking hardware. Which is why I started this thread.
The 10gbps nic isn't actually planned, but it would be nice to have something that could handle it. Thinking about it now, I should remove that as a requirement because I think it automatically bumps me up in price beyond any reasonable over-sizing of a gigabit connection.
I would prefer ecc-capable hardware though, which I don't think I added to my original spec.
Logging: My intent is a read-only boot for the outside firewall. Perhaps even dhcp-boot, and maintain the image on a server inside. Logging would necessarily be abbreviated so it can fit inside of a gigabit line. I guess that could technically be a reason for a third nic.
Read-only booting can be done using a CD-R, or a USB stick with hardware write-protect switch. Configuration needs to be somewhere tho, maybe on a separate writable storage device? Using network booting or server-served images isn't going to help you security-wise if the server would be compromised. If you want to protect yourself from local hardware access hacks, network-booting only helps if your image server cannot be compromised the same way the router can be.
Regarding hardware: would a X10SLV-Q and a Xeon E3 v3 (use a Dynatron K199 cooler) not fit the bill? There is no iKVM on that board, but other than that it gets pretty much everything done and can be mounted in a 1U high case (be it an actual rack case or a wallmounted or desktop case). It's about 500 euros to setup here, not sure what the prices would be at your location.
-
Is there a price range/region for what you're looking for? Maybe power considerations? I know you have an atom board for your virtualization box, which leads me to think you'd want something similar in power point to that box. I will say, that if you want something relatively solid but lightweight processing wise, you could use a TS-140 which sell for cheap on amazon. They come with the lowest end i3 there is (4130) and 4GB of ecc 1600mhz memory, which fits your original specs. It also has 3x pci-express expansion slots, 2 of which could easily support a modern NIC card. I will say that the bios is a bit "meh" on it though. With an old gigabit CT card I had laying around it booted fine and fast. With the intel 82571GB dual port card I grabbed off of ebay it would hang at the bios screen for a minute and a half before reluctantly booting. It did work fine once booted, I just think it has some sort of code in the bios that looks for vendor information. It also could have been due to the UEFI booting, but I didn't test non UEFI. Mine idles at 30 watts from the wall with an SSD and an AMD 270x video card in it. I re-purposed it as an HTPC with a backup copy of my pfsense. They also have lots of USB3 ports, so you could get a write protect switch USB3 drive and use that.
If you were looking for something more appliance like, the netgate store looks like it has some really neat light-weight/powered appliances that could suit your purpose. They have devices that run off of the SD cards like what you originally mentioned. They'd use less power, take up less space, and also in general be more appliance-y.
-
For price point, I guess I would be looking for "cheaper." Meaning, cheaper than some sort of QuickAssist-enabled hardware. Netgate has a RCC-VE-2440 appliance for $350 USD, I guess if the alternative were more than $250 I would have to think hard before going with the 2440. It's non-ecc which is a drag but it's already set up, which kinda makes up for it.
Size, I was thinking about 1u or an appliance. Power, I would hope for something less than my c2758 draws.
I guess a reiteration of specs based on what I think now:
-
Cheaper than QuickAssist hardware
-
1u or possibly desktop, 1u preferred
-
Probably going to be Linux
-
Prefer Intel
-
2x Intel gigabit nics
-
Ability to boot from dhcp or usb/msata
-
Start with 4g ecc, would like ability for more
-
PCIe-v3x8 would be nice, but not required.
-
Capable of easily handling gigabit routing and firewall duties.
-
Heavy lifting passed through to pfSense VM image (snort, VPN, etc)
-
-
If (quote) "all the heavy lifting is going to be done by the Pfsense vm"
My advice would be to look at secondhand Haswell grade processors (i3, et al)
That said the aforementioned Amazon buy looks to be very cheap/worthwhile for this task.
I would go for an i3 over an atom because it has avx2, and that allows some serious speed with dpdk…
-
Hi folks,
there are often two camps if someone is talking about running pfSense VMs, the only ones love this
and consider but the other ones hate it and don´t want drive it in productive networks.@kroberts
Did you perhaps thought about installing OpenBSD and let pfSense running in a jail?
Could be a solution for as I see it right.Intel CPU
Intel Xeon E3 or Xeon E5 or the new one D-1500 would be great to know at first
for us to come closer to the point and guess you something.
For what exactly this pfSense appliance should run? Tasks? Users? Throughput?Intel nics – 2 of them. I wouldn't mind more being present but don't
intend to use them right now.Tyan S5530
ASRock D-1500 Platform
Supermicro D-1500 platform4g RAM, preferably can max at 8
Using ECC RAM can be good because the VPN keys are generated in RAM.
Alix APU 1C4 - little dog
Soekris net6801 (Q4/2015) - small bear
Lanner FW-8895 - great beastUse embedded image, log to another box.
In some cases related to the security it will be good, but then you can install as
recommended pfSense on one "normal" box and the Squid, snort, logging and AV
tasks on another one.At least one 8-lane pcie-v3 slot to handle a 10gbps nic just in case my scenario changes.
HotLava Systems Multiport NICs
High port density and much power by using original Intel chip sets can savemoney and PCIe slots
as I see it right.Cheaper than QuickAssist hardware
Ok at this point I want that we both think about what you really want and/or
what you really need! The word "cheap" contingent on 10 GBit/s is here clearly
a thinking false of yours! 10 GBit/s is not cheap and will not be cheap. related to
the backside of the pfSense, I mean the connection to a DMZ or LAN Switch it
will perhaps going, but 10 GBit/s at the front side, the WAN side I mean, we
are talking about two different things and both are not cheap!pfSense is still OpenSource but this means not it can handle every stuff on a
35 € hardware.1u or possibly desktop, 1u preferred
Probably going to be LinuxAs a Squid Proxy with AV, SquidGuard, snorting and logging ok, therefore Linux will be
also great, perhaps ClearOS or CentOS based. But this is not related to the pfSense
hardware you are asking here.How urgent is vpn encryption in your scenario?
For how many peoples you have to set this box?
What kind and how much traffic is running through this Box?Is a smaller Box for pfSense and a greater one behind this box
as a Squid, Snort, AV and logging proxy better for you? -
This post is deleted!