Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    General security / architecture question for virtualization

    Scheduled Pinned Locked Moved
    Virtualization
    3
    5
    630
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • brucieB
      brucie
      last edited by

      Hello there beautiful pf-community,

      not to start the infamous discussion regarding the virtualization of firewalls, I read this:

      https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

      And was a bit surprised, that this way gets suggested, instead of dedicated hardware passthrough? From my limited understanding, I would assume that a passthrough is more secure? However I cannot underpin this assumption.

      Maybe someone want to elaborate on this, and share his/ her knowledge.

      Many thanks in advance

      KOMK P 2 Replies Last reply Reply Quote 0
      • KOMK
        KOM @brucie
        last edited by

        @brucie PCI Passthrough is more complex to setup and outside the scope of what the guide is trying to accomplish. The virtio nic drivers are pretty fast so you're not losing a lot by virtualizing the nics.

        1 Reply Last reply Reply Quote 2
        • P
          Patch @brucie
          last edited by Patch

          @brucie
          I think it depends on your hardware resources and what else you are using your Proxmox system for.

          I have hardware with many physical NICs mostly used as a pfsense machine but running under Proxmox so some other less critical functions can use the same hardware. For that use case NIC pass through makes sense. It minimises the attack surface of the firewall and optimises the performance (for a virtual pfsense implementation).

          At the other extreme, if I had a Proxmox server farm with redundancy running many virtual machines. And pfsense was just one of many virtual machines then I would not consider using NIC pass through.

          Pass through is also a non standard feature of hypervisors, so as a basic setup, it makes sense to not include it.

          brucieB 1 Reply Last reply Reply Quote 2
          • brucieB
            brucie @Patch
            last edited by

            @patch said in General security / architecture question for virtualization:

            @brucie
            It minimises the attack surface of the firewall and optimises the performance (for a virtual pfsense implementation).

            Thank you - Can you maybe please elaborate on this specifically, what is the attack surface?

            @KOM

            Thank you - as mentioned above I am looking at the pure security perspective and try to realize what is the actual risk if virtualized, compared to bare metal.

            Considerung netgate has its own guide, it seems virtualizing does not seem oddly crazy, however these are wild guesses

            many thanks in advance and have a nice weekend

            1 Reply Last reply Reply Quote 0
            • P
              Patch
              last edited by Patch

              @brucie
              All software has bugs and security vulnerabilities.
              With pfSense running on bare metal the possible locations for bugs are:

              • Hardware
              • pfsense (FreeBSD retained code, Netgate code)
              • pfsense user customisation / added packages

              Note Netgate removes none essential components from FreeBSD to reduce vulnerabilities / minimise the attack surface.

              With vitalisation you add

              • Proxmox ( Debian 11.3 retained code, QEMU 6.2, Proxmox code)

              The most exposed of which to external attack is probably the WAN port which is why some pass through at least the WAN NIC.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post