How much of a security concern is virtuallization

stephenw10

@bmeeks said in How much of a security concern is virtuallization:

have to overcome my hoarder instincts

Don't ask!

But, yeah, I would not use a VM on the edge. I could never be really sure the hypervisor wouldn't fail to boot and end up with the WAN NIC exposed.
Maybe with a PPPoE WAN....

provels

I figure if it's good enough for Netgate, it's good enough for me!

AWS/Azure

michmoor

@Gertjan said in How much of a security concern is virtuallization:

You work for a bank, and you put the main WAN of the company on a firewall that runs in a VM ?
Your professional career will be over before midnight.

I dont understand this scenerio. As someone who works in fintech we have one colo running virtual firewalls on ESXi
Why would a bank have one circuit with one firewall ? Would this be just as bad if this was a physical firewall appliance?

michmoor

@stephenw10 said in How much of a security concern is virtuallization:

But, yeah, I would not use a VM on the edge. I could never be really sure the hypervisor wouldn't fail to boot and end up with the WAN NIC exposed

Im really not understanding the why here..
As someone who works for a org that is virtualizing all the things (f5 ltm/gtm , firewalls). Sure i understand the hypervisor being a target but im not understanding the WHY you cannot place virtual instances of appliances on the edge.

bmeeks

@michmoor said in How much of a security concern is virtuallization:

Sure i understand the hypervisor being a target but im not understanding the WHY you cannot place virtual instances of appliances on the edge.

The potential problems are in a few areas. Found this website that lists what it considers as the top 8 concerns: https://www.liquidweb.com/kb/virtualization-security-issues-and-risks/.

Also found a decent writeup here of potential virtualization risks: https://bilginc.com/en/blog/can-virtualization-be-a-security-risk-5866/.

I would just have problems sleeping well at night if my butt and reputation were on the line with a virtualized firewall in an enterprise environment. Lots of additional things to worry about unless the firewall was the ONLY virtual machine on the host, and if that's the case, why not just use bare metal?

Finally, the holy grail of cybersecurity is to reduce the potential attack surface of systems (particularly firewalls). Eliminating as much extra installed software apps as possible on the machine is a great way of doing this. But virtualizing can do exactly the opposite as you are are adding additional layers of software via the hypervisor and its management systems (think VMware's vCenter server) and thus potentially increasing the attack surface.

stephenw10

Because however you configure NIC in the hypervisor it is initially owned by the hypervisor before the VM ever comes up. In the event of some power failure or hardware failure where the hypervisor is rebooted but doesn't complete boot can you be sure the external NIC is not exposed? That's the risk as I see it.

bmeeks

Agree with @stephenw10. Can you be 100% sure in the hypervisor world that your WAN would "fail open" if something went sideways with either the firewall VM or the hypervisor itself?

You can be reasonably sure that in the bare-metal world, if the OS does not boot (meaning the firewall does not start), the WAN will indeed "fail open".

michmoor

@bmeeks @stephenw10

Not sure i follow. If the vm doesnt start thats one thing. ESXi (or any hypervisor) owning the NIC still doesnt mean security concern unless im missing something. NIC1 is facing the internet. NIC1 is owned by firewall. Firewall doesnt boot or is turned off. How is NIC1 a security concern?

stephenw10

It's if the hypervisor fails to boot or for some other reason changes how the NIC is configured.

michmoor

@stephenw10
Hypervisor failing to boot is one thing. The NIC would have no way of grabbing an IP. Who/What is connecting to this thats able to talk to the NIC at Layer3 at that point.? Layer2 then i guess your ISP is compromised but gosh the failure of events that would require and to target a specific account. But then how are would anyone deliver a payload to the server?
If someone misconfigured the NIC and it no longer belongs to the firewall VM and is instead belongs to an external server thats the only siutation i see being a legit concern but it would be no different than a server living on a DMZ and having an IP misconfigured. Exposure is exposure regardless.

The Dell server or SuperMicro or insert physical hardare isnt exposed to the internet at all...Unless someone cables up the IPMI to the internet.....
I dont think these are far fetched situations but highly unlikely.

michmoor

IF accessing the OS of anything via a NIC (misconfigurd or not , virtual or not) was really a concern or possible then this is all moot. This wouldnt be a virtualization problem but rather a general problem with all devices on a network.

stephenw10

I agree, unlikely. That is a nature of the risk though at least as far as I understand it.

Less of a security risk but, for me, a bigger reason not run as a VM is that I want to be able to reboot the hypervisor without rebooting the firewall. Or that during a full power failure the DHCP server etc is not dependent on the hypervisor booting first. Both those are likely mitigated by having a distributed virtual environment of some sort. Personally I don't have that.

bmeeks

@michmoor:

@stephenw10 and me are not trying to say pfSense in a virtual machine is inherently bad, or that using it that way is incorrect. We are saying that particular method of operation does not appeal to us, and then giving some reasons why we feel that way.

I did cybersecurity for nuclear power plant control networks, and my designs and operating procedures had to pass scrutiny by a bunch of federal regulators (the Nuclear Regulatory Commission's cyber specialists to be specific). During a preliminary audit before the federal cyber rule for nuclear power took full effect, they made me remove a KVM switch that was used so that two servers in the same cabinet rack could share a monitor and keyboard. The KVM had no remote access, and was located in a locked room and in a locked rack cabinet in that locked room. And the locked room was buried in the most physically secure part of the nuclear plant that required badge scan and hand scanner verification to enter that section of the plant. You had to get past an armed security officer who was posted there 24x7 in order to enter that area of the facility. Even with all that, they judged the KVM not secure enough as it "connected" two servers on two different networks even though it was only keyboard, mouse, and VGA monitor.

So, I'm naturally paranoid and a bit old-school. That's why I feel more comfortable with my firewall on bare-metal hardware. The setup in that particular room was a pair of HA Checkpoint dedicated firewall appliances.

MakOwner

@stephenw10 I should have made more popcorn for this post :)
Now I get to ramble a bit ...

I have run various firewall products (predominantly pfsense because of some interesting things I can do with multiple ISP accounts that have been much harder for me with other products).

Almost all of them have run virtualized because it was just easier.
I have never run anything of interest or value behind them other than deskstops, some storage and a webserver with simple flat pages for my personal use when away from home.

Even if someone broke in, they weren't going to find anything of value short of 10+ year old hardware to to use as platform for something else.
Much better pickings elsewhere.

I have some domains that I have been carrying around with me for years -- one of them from way back when I got a domain name for a BBS I ran for e-mail/usenet/fidonet via k-band satellite.

I want to put them to use that will be a bit more high profile -- I want to set up a mail server and cloud storage for extended family and some select friends.

With those types of services exposed, I expect a bit more attention than the script-kiddie bots probing ssh ports and known vulnerabilities in webservers - thus my sudden concern with security.

I recently moved one of my setups from virtual to physical -- @stephenw10 answered a lot of questions around the recovery process and issues -- thank you @stephenw10 !
(Which was kind of embarrassing to be honest ... being the mechanic with the broken down car, so to speak :) Disaster recovery for enterprise has been my day job for ... well, a long time.)

In my case I run physical (now) for the account directly behind my seat while I work - the virtualized gateways are in another building, and I have a 10gb link between the buildings and the virtualized gateways are running on hardware with enterprise licensed iDRAC.
Once you get to iDRAC 8 or later ... it's very convenient and I have become very spoiled -- I can shutdown and start up the entire critical infrastructure from my desk.

I have a /29 from the ISP that serves that building.
5 functional static IPs on a fiber connection, unlike the previous ISP <cough>Frontier<cough> who couldn't provide a modem with bridge mode and the /29 was only 4 functional IPs...
(Sorry, rant over -- I said I was going to ramble!)

So... having rambled through all that ....

My plan is to set up a cloud server and a mail server on separate domains -- using pfsense as the firewall for each.
I'm trying to figure out the least risky way to do this, and at present my best hardware option is virtualization.
I'm currently using VMware 7, been using VMware for way longer than I'd care to admit, but I am by no means an SME on VMware
I have just shutdown an older ESXi server to load proxmox to begin a learning process... I'm sure everyone knows why.

With VMware and the hardware I have, I can pass through the NICs to the VMs.

Or, I can leave the virtualized and set up dedicated vSwitches - that's my current configuration.

Given that billboard of text and my reasons for doing this - anyone have input?
(Other than quit posting billboards.)

Edit: BTW... If everyone says run from virtualization ...
Although I don't see getting enough for all 5 IPs I can probably justify at least one more Supermicro X10SLH-N6-ST031, if I take the SO shopping...

stephenw10

@MakOwner said in How much of a security concern is virtuallization:

I should have made more popcorn for this post :)

Ha! Yup people have strong opinions.

Personally I would use a hardware firewall in front of a hypervisor cluster like that. Probably an HA pair of hardware firewalls if you need the uptime.

JonathanLee

You ever run Xenix on a VM …I have I love it, wish I could get the network card to work on it the virtual version of it. That’s where I am stuck. Yes off topic sorry

starcodesystems

I don't have a problem using ESXI for Pfsense.

Matter of fact, our UPS system at headend went down, INOP, at the same time the power company was switching over to LNG generators. We had about 3 months of hell with loss or power to the facility, sometimes 3, 4 times per day and in quick succession.

I ran Pfsense on bare metal hardware and that failed, so I used HP 360 server with ESXI 8 for Pfsense only. Installed pass through network cards, configured snapshots, etc, and I gotta tell you, that server and the hypervisor took it all in terms of random power loss and rebooting. No problem at all, and if Pfsense didn't boot, was an added benefit of being able to log into ESXI server, and startup PFsense or restore snapshot. However, the only VM was Pfsense so the full set of resources could be allocated.

I'm also running Harmonic NMX system for DVB-T2 system which uses Windows 2000, and they said it can't be done. Here again, because of what it is, no other VM's are running on that server, and here again with all the power loss and rebooting, like i said sometimes, 2, 3 times a day, I have to take my hat off to Vmware and their hypervisor. No problems, no issues. Comes right back up and look, I actually have fingernails again!

MakOwner

@JonathanLee
Never run it in a VM.

But I can also tell you about doing backups of an AS/400 on 16TPI reel to reel tapes.
System/1, System/36 and System/384 backups to floppies.
Data conversion of EBCIDIC to ASCII with packed fields.

Somewhat fun times.

I feel old all of a sudden.

MakOwner

@starcodesystems said in How much of a security concern is virtuallization:

I don't have a problem using ESXI for Pfsense.

Matter of fact, our UPS system at headend went down, INOP, at the same time the power company was switching over to LNG generators. We had about 3 months of hell with loss or power to the facility, sometimes 3, 4 times per day and in quick succession.

I'm also running Harmonic NMX system for DVB-T2 system which uses Windows 2000, and they said it can't be done. Here again, because of what it is, no other VM's are running on that server, and here again with all the power loss and rebooting, like i said sometimes, 2, 3 times a day, I have to take my hat off to Vmware and their hypervisor. No problems, no issues. Comes right back up and look, I actually have fingernails again!

And this is why I have a love/hate relationship with VMware.
I'm in an area with especially sketchy power -- I get as more over voltage spikes than we get power loss events. I and the delivery provider know why, they just haven't been sued enough to fix it <sigh>.
I'm a bigger threat to stability changing stuff in VMware than my hardware and filesystems are.

Backups, backups, backups and practice your recovery!

stephenw10

@MakOwner said in How much of a security concern is virtuallization:

I'm a bigger threat to stability changing stuff in VMware than my hardware and filesystems are.

Ha. Same!