How much of a security concern is virtuallization

MakOwner

of pfsense?

Is it a best practice to use pass-through mode on the WAN interface?
Does it make a difference?
What about LAN interfaces?

All depends on the hypervisor?

Gertjan

@MakOwner said in How much of a security concern is virtuallization:

All depends on the hypervisor?

Probably.
And mostly : what do you believe ?
Its an easy task to find several serious YouTube videos that will explain that you should never do that, and you'll find as many videos saying that it's just ok.

You work for a bank, and you put the main WAN of the company on a firewall that runs in a VM ?
Your professional career will be over before midnight.

At home ? Why not, we all had a pfSense in a VM as when had the equipment up and running anyway, doing nothing most of the time (our own desk top PCs).
I stopped doing so, as messing around with systems is my home-job, and the wife doesn't want me to take the entire internet connection down because I've hit 'reboot' somewhere - again.

(small) business : depends. If the hypervisor runs on a file database whatever server that has cycles to spare, you could launch a VM. Just be aware : if something somewhere goes wrong, everything goes wrong, taking the connection with it.

Normally, pfSense feels right at home at a small low bud PC, good NIC.

bmeeks

I tend to favor a bare-metal machine for a firewall in most every circumstance. Most certainly that would be the case (in my view) for any commercial installation. Dedicated firewall appliances are relatively cheap these days.

Maybe in a home network a VM would be okay in my mind, but again, due to how cheap dedicated appliances have become I think their benefit outweighs the cost.

Here's why. With a VM, your Internet connection is dependent upon the Hypervisor and its host. If you need to reboot/restart either, then your Internet is down until both are back up. If you hit a snag during that reboot/restart, then Internet is possibly gone for good until the VM host is restored. While there are workarounds using smartphone hotspots, it would be a pain. However, one big plus with a VM is that if you are running snapshots, it's just a single click to rollback a bad update on your firewall and return to your previous configuration.

That's not to say a single firewall appliance is failure proof either. It can go down or fail to reboot as well. But the odds are usually lower with a dedicated appliance. Plus, you can be more selective with updates there. And it would be really easy to grab some cheap spare PC in an emergency, install pfSense on it, import your config, and you are up and running with Internet. Might be a lot more effort to get a new VM host up and running (say from a major hardware failure).

mer

@bmeeks said in How much of a security concern is virtuallization:

I tend to favor a bare-metal machine for a firewall in most every circumstance. Most certainly that would be the case (in my view) for any commercial installation. Dedicated firewall appliances are relatively cheap these days.

I agree with this. Been doing it this way for a long time. As your network expands/upgrades you will want to get a new firewall device. While you configure and test the new one, the old one is in place. One day you cut over to the new one, you run and monitor for a bit (1 day, 1 wk, 1 month whatever) then the old one goes on the shelf as a cold spare "Just in case".

At least that's what I do. Problem is you wind up with 3 or 4 devices in the close as spares :)

bmeeks

@mer said in How much of a security concern is virtuallization:

Problem is you wind up with 3 or 4 devices in the close as spares :)

Yeah, been there done that ... have to overcome my hoarder instincts and force myself to get rid of the oldest ones .

mer

@bmeeks Heck no, they will be used in the future even if it's just so you can answer questions here :)
(for the record, I have a SG2440 that has been RMAd, 2100, 5100 in the closet at the moment while running on a 4100)

stephenw10

@bmeeks said in How much of a security concern is virtuallization:

have to overcome my hoarder instincts

Don't ask!

But, yeah, I would not use a VM on the edge. I could never be really sure the hypervisor wouldn't fail to boot and end up with the WAN NIC exposed.
Maybe with a PPPoE WAN....

provels

I figure if it's good enough for Netgate, it's good enough for me!

AWS/Azure

michmoor

@Gertjan said in How much of a security concern is virtuallization:

You work for a bank, and you put the main WAN of the company on a firewall that runs in a VM ?
Your professional career will be over before midnight.

I dont understand this scenerio. As someone who works in fintech we have one colo running virtual firewalls on ESXi
Why would a bank have one circuit with one firewall ? Would this be just as bad if this was a physical firewall appliance?

michmoor

@stephenw10 said in How much of a security concern is virtuallization:

But, yeah, I would not use a VM on the edge. I could never be really sure the hypervisor wouldn't fail to boot and end up with the WAN NIC exposed

Im really not understanding the why here..
As someone who works for a org that is virtualizing all the things (f5 ltm/gtm , firewalls). Sure i understand the hypervisor being a target but im not understanding the WHY you cannot place virtual instances of appliances on the edge.

bmeeks

@michmoor said in How much of a security concern is virtuallization:

Sure i understand the hypervisor being a target but im not understanding the WHY you cannot place virtual instances of appliances on the edge.

The potential problems are in a few areas. Found this website that lists what it considers as the top 8 concerns: https://www.liquidweb.com/kb/virtualization-security-issues-and-risks/.

Also found a decent writeup here of potential virtualization risks: https://bilginc.com/en/blog/can-virtualization-be-a-security-risk-5866/.

I would just have problems sleeping well at night if my butt and reputation were on the line with a virtualized firewall in an enterprise environment. Lots of additional things to worry about unless the firewall was the ONLY virtual machine on the host, and if that's the case, why not just use bare metal?

Finally, the holy grail of cybersecurity is to reduce the potential attack surface of systems (particularly firewalls). Eliminating as much extra installed software apps as possible on the machine is a great way of doing this. But virtualizing can do exactly the opposite as you are are adding additional layers of software via the hypervisor and its management systems (think VMware's vCenter server) and thus potentially increasing the attack surface.

stephenw10

Because however you configure NIC in the hypervisor it is initially owned by the hypervisor before the VM ever comes up. In the event of some power failure or hardware failure where the hypervisor is rebooted but doesn't complete boot can you be sure the external NIC is not exposed? That's the risk as I see it.

bmeeks

Agree with @stephenw10. Can you be 100% sure in the hypervisor world that your WAN would "fail open" if something went sideways with either the firewall VM or the hypervisor itself?

You can be reasonably sure that in the bare-metal world, if the OS does not boot (meaning the firewall does not start), the WAN will indeed "fail open".

michmoor

@bmeeks @stephenw10

Not sure i follow. If the vm doesnt start thats one thing. ESXi (or any hypervisor) owning the NIC still doesnt mean security concern unless im missing something. NIC1 is facing the internet. NIC1 is owned by firewall. Firewall doesnt boot or is turned off. How is NIC1 a security concern?

stephenw10

It's if the hypervisor fails to boot or for some other reason changes how the NIC is configured.

michmoor

@stephenw10
Hypervisor failing to boot is one thing. The NIC would have no way of grabbing an IP. Who/What is connecting to this thats able to talk to the NIC at Layer3 at that point.? Layer2 then i guess your ISP is compromised but gosh the failure of events that would require and to target a specific account. But then how are would anyone deliver a payload to the server?
If someone misconfigured the NIC and it no longer belongs to the firewall VM and is instead belongs to an external server thats the only siutation i see being a legit concern but it would be no different than a server living on a DMZ and having an IP misconfigured. Exposure is exposure regardless.

The Dell server or SuperMicro or insert physical hardare isnt exposed to the internet at all...Unless someone cables up the IPMI to the internet.....
I dont think these are far fetched situations but highly unlikely.

michmoor

IF accessing the OS of anything via a NIC (misconfigurd or not , virtual or not) was really a concern or possible then this is all moot. This wouldnt be a virtualization problem but rather a general problem with all devices on a network.

stephenw10

I agree, unlikely. That is a nature of the risk though at least as far as I understand it.

Less of a security risk but, for me, a bigger reason not run as a VM is that I want to be able to reboot the hypervisor without rebooting the firewall. Or that during a full power failure the DHCP server etc is not dependent on the hypervisor booting first. Both those are likely mitigated by having a distributed virtual environment of some sort. Personally I don't have that.

bmeeks

@michmoor:

@stephenw10 and me are not trying to say pfSense in a virtual machine is inherently bad, or that using it that way is incorrect. We are saying that particular method of operation does not appeal to us, and then giving some reasons why we feel that way.

I did cybersecurity for nuclear power plant control networks, and my designs and operating procedures had to pass scrutiny by a bunch of federal regulators (the Nuclear Regulatory Commission's cyber specialists to be specific). During a preliminary audit before the federal cyber rule for nuclear power took full effect, they made me remove a KVM switch that was used so that two servers in the same cabinet rack could share a monitor and keyboard. The KVM had no remote access, and was located in a locked room and in a locked rack cabinet in that locked room. And the locked room was buried in the most physically secure part of the nuclear plant that required badge scan and hand scanner verification to enter that section of the plant. You had to get past an armed security officer who was posted there 24x7 in order to enter that area of the facility. Even with all that, they judged the KVM not secure enough as it "connected" two servers on two different networks even though it was only keyboard, mouse, and VGA monitor.

So, I'm naturally paranoid and a bit old-school. That's why I feel more comfortable with my firewall on bare-metal hardware. The setup in that particular room was a pair of HA Checkpoint dedicated firewall appliances.

MakOwner

@stephenw10 I should have made more popcorn for this post :)
Now I get to ramble a bit ...

I have run various firewall products (predominantly pfsense because of some interesting things I can do with multiple ISP accounts that have been much harder for me with other products).

Almost all of them have run virtualized because it was just easier.
I have never run anything of interest or value behind them other than deskstops, some storage and a webserver with simple flat pages for my personal use when away from home.

Even if someone broke in, they weren't going to find anything of value short of 10+ year old hardware to to use as platform for something else.
Much better pickings elsewhere.

I have some domains that I have been carrying around with me for years -- one of them from way back when I got a domain name for a BBS I ran for e-mail/usenet/fidonet via k-band satellite.

I want to put them to use that will be a bit more high profile -- I want to set up a mail server and cloud storage for extended family and some select friends.

With those types of services exposed, I expect a bit more attention than the script-kiddie bots probing ssh ports and known vulnerabilities in webservers - thus my sudden concern with security.

I recently moved one of my setups from virtual to physical -- @stephenw10 answered a lot of questions around the recovery process and issues -- thank you @stephenw10 !
(Which was kind of embarrassing to be honest ... being the mechanic with the broken down car, so to speak :) Disaster recovery for enterprise has been my day job for ... well, a long time.)

In my case I run physical (now) for the account directly behind my seat while I work - the virtualized gateways are in another building, and I have a 10gb link between the buildings and the virtualized gateways are running on hardware with enterprise licensed iDRAC.
Once you get to iDRAC 8 or later ... it's very convenient and I have become very spoiled -- I can shutdown and start up the entire critical infrastructure from my desk.

I have a /29 from the ISP that serves that building.
5 functional static IPs on a fiber connection, unlike the previous ISP <cough>Frontier<cough> who couldn't provide a modem with bridge mode and the /29 was only 4 functional IPs...
(Sorry, rant over -- I said I was going to ramble!)

So... having rambled through all that ....

My plan is to set up a cloud server and a mail server on separate domains -- using pfsense as the firewall for each.
I'm trying to figure out the least risky way to do this, and at present my best hardware option is virtualization.
I'm currently using VMware 7, been using VMware for way longer than I'd care to admit, but I am by no means an SME on VMware
I have just shutdown an older ESXi server to load proxmox to begin a learning process... I'm sure everyone knows why.

With VMware and the hardware I have, I can pass through the NICs to the VMs.

Or, I can leave the virtualized and set up dedicated vSwitches - that's my current configuration.

Given that billboard of text and my reasons for doing this - anyone have input?
(Other than quit posting billboards.)

Edit: BTW... If everyone says run from virtualization ...
Although I don't see getting enough for all 5 IPs I can probably justify at least one more Supermicro X10SLH-N6-ST031, if I take the SO shopping...