How much of a security concern is virtuallization

michmoor

@stephenw10
Hypervisor failing to boot is one thing. The NIC would have no way of grabbing an IP. Who/What is connecting to this thats able to talk to the NIC at Layer3 at that point.? Layer2 then i guess your ISP is compromised but gosh the failure of events that would require and to target a specific account. But then how are would anyone deliver a payload to the server?
If someone misconfigured the NIC and it no longer belongs to the firewall VM and is instead belongs to an external server thats the only siutation i see being a legit concern but it would be no different than a server living on a DMZ and having an IP misconfigured. Exposure is exposure regardless.

The Dell server or SuperMicro or insert physical hardare isnt exposed to the internet at all...Unless someone cables up the IPMI to the internet.....
I dont think these are far fetched situations but highly unlikely.

michmoor

IF accessing the OS of anything via a NIC (misconfigurd or not , virtual or not) was really a concern or possible then this is all moot. This wouldnt be a virtualization problem but rather a general problem with all devices on a network.

stephenw10

I agree, unlikely. That is a nature of the risk though at least as far as I understand it.

Less of a security risk but, for me, a bigger reason not run as a VM is that I want to be able to reboot the hypervisor without rebooting the firewall. Or that during a full power failure the DHCP server etc is not dependent on the hypervisor booting first. Both those are likely mitigated by having a distributed virtual environment of some sort. Personally I don't have that.

bmeeks

@michmoor:

@stephenw10 and me are not trying to say pfSense in a virtual machine is inherently bad, or that using it that way is incorrect. We are saying that particular method of operation does not appeal to us, and then giving some reasons why we feel that way.

I did cybersecurity for nuclear power plant control networks, and my designs and operating procedures had to pass scrutiny by a bunch of federal regulators (the Nuclear Regulatory Commission's cyber specialists to be specific). During a preliminary audit before the federal cyber rule for nuclear power took full effect, they made me remove a KVM switch that was used so that two servers in the same cabinet rack could share a monitor and keyboard. The KVM had no remote access, and was located in a locked room and in a locked rack cabinet in that locked room. And the locked room was buried in the most physically secure part of the nuclear plant that required badge scan and hand scanner verification to enter that section of the plant. You had to get past an armed security officer who was posted there 24x7 in order to enter that area of the facility. Even with all that, they judged the KVM not secure enough as it "connected" two servers on two different networks even though it was only keyboard, mouse, and VGA monitor.

So, I'm naturally paranoid and a bit old-school. That's why I feel more comfortable with my firewall on bare-metal hardware. The setup in that particular room was a pair of HA Checkpoint dedicated firewall appliances.

MakOwner

@stephenw10 I should have made more popcorn for this post :)
Now I get to ramble a bit ...

I have run various firewall products (predominantly pfsense because of some interesting things I can do with multiple ISP accounts that have been much harder for me with other products).

Almost all of them have run virtualized because it was just easier.
I have never run anything of interest or value behind them other than deskstops, some storage and a webserver with simple flat pages for my personal use when away from home.

Even if someone broke in, they weren't going to find anything of value short of 10+ year old hardware to to use as platform for something else.
Much better pickings elsewhere.

I have some domains that I have been carrying around with me for years -- one of them from way back when I got a domain name for a BBS I ran for e-mail/usenet/fidonet via k-band satellite.

I want to put them to use that will be a bit more high profile -- I want to set up a mail server and cloud storage for extended family and some select friends.

With those types of services exposed, I expect a bit more attention than the script-kiddie bots probing ssh ports and known vulnerabilities in webservers - thus my sudden concern with security.

I recently moved one of my setups from virtual to physical -- @stephenw10 answered a lot of questions around the recovery process and issues -- thank you @stephenw10 !
(Which was kind of embarrassing to be honest ... being the mechanic with the broken down car, so to speak :) Disaster recovery for enterprise has been my day job for ... well, a long time.)

In my case I run physical (now) for the account directly behind my seat while I work - the virtualized gateways are in another building, and I have a 10gb link between the buildings and the virtualized gateways are running on hardware with enterprise licensed iDRAC.
Once you get to iDRAC 8 or later ... it's very convenient and I have become very spoiled -- I can shutdown and start up the entire critical infrastructure from my desk.

I have a /29 from the ISP that serves that building.
5 functional static IPs on a fiber connection, unlike the previous ISP <cough>Frontier<cough> who couldn't provide a modem with bridge mode and the /29 was only 4 functional IPs...
(Sorry, rant over -- I said I was going to ramble!)

So... having rambled through all that ....

My plan is to set up a cloud server and a mail server on separate domains -- using pfsense as the firewall for each.
I'm trying to figure out the least risky way to do this, and at present my best hardware option is virtualization.
I'm currently using VMware 7, been using VMware for way longer than I'd care to admit, but I am by no means an SME on VMware
I have just shutdown an older ESXi server to load proxmox to begin a learning process... I'm sure everyone knows why.

With VMware and the hardware I have, I can pass through the NICs to the VMs.

Or, I can leave the virtualized and set up dedicated vSwitches - that's my current configuration.

Given that billboard of text and my reasons for doing this - anyone have input?
(Other than quit posting billboards.)

Edit: BTW... If everyone says run from virtualization ...
Although I don't see getting enough for all 5 IPs I can probably justify at least one more Supermicro X10SLH-N6-ST031, if I take the SO shopping...

stephenw10

@MakOwner said in How much of a security concern is virtuallization:

I should have made more popcorn for this post :)

Ha! Yup people have strong opinions.

Personally I would use a hardware firewall in front of a hypervisor cluster like that. Probably an HA pair of hardware firewalls if you need the uptime.

JonathanLee

You ever run Xenix on a VM …I have I love it, wish I could get the network card to work on it the virtual version of it. That’s where I am stuck. Yes off topic sorry

starcodesystems

I don't have a problem using ESXI for Pfsense.

Matter of fact, our UPS system at headend went down, INOP, at the same time the power company was switching over to LNG generators. We had about 3 months of hell with loss or power to the facility, sometimes 3, 4 times per day and in quick succession.

I ran Pfsense on bare metal hardware and that failed, so I used HP 360 server with ESXI 8 for Pfsense only. Installed pass through network cards, configured snapshots, etc, and I gotta tell you, that server and the hypervisor took it all in terms of random power loss and rebooting. No problem at all, and if Pfsense didn't boot, was an added benefit of being able to log into ESXI server, and startup PFsense or restore snapshot. However, the only VM was Pfsense so the full set of resources could be allocated.

I'm also running Harmonic NMX system for DVB-T2 system which uses Windows 2000, and they said it can't be done. Here again, because of what it is, no other VM's are running on that server, and here again with all the power loss and rebooting, like i said sometimes, 2, 3 times a day, I have to take my hat off to Vmware and their hypervisor. No problems, no issues. Comes right back up and look, I actually have fingernails again!

MakOwner

@JonathanLee
Never run it in a VM.

But I can also tell you about doing backups of an AS/400 on 16TPI reel to reel tapes.
System/1, System/36 and System/384 backups to floppies.
Data conversion of EBCIDIC to ASCII with packed fields.

Somewhat fun times.

I feel old all of a sudden.

MakOwner

@starcodesystems said in How much of a security concern is virtuallization:

I don't have a problem using ESXI for Pfsense.

Matter of fact, our UPS system at headend went down, INOP, at the same time the power company was switching over to LNG generators. We had about 3 months of hell with loss or power to the facility, sometimes 3, 4 times per day and in quick succession.

I'm also running Harmonic NMX system for DVB-T2 system which uses Windows 2000, and they said it can't be done. Here again, because of what it is, no other VM's are running on that server, and here again with all the power loss and rebooting, like i said sometimes, 2, 3 times a day, I have to take my hat off to Vmware and their hypervisor. No problems, no issues. Comes right back up and look, I actually have fingernails again!

And this is why I have a love/hate relationship with VMware.
I'm in an area with especially sketchy power -- I get as more over voltage spikes than we get power loss events. I and the delivery provider know why, they just haven't been sued enough to fix it <sigh>.
I'm a bigger threat to stability changing stuff in VMware than my hardware and filesystems are.

Backups, backups, backups and practice your recovery!

stephenw10

@MakOwner said in How much of a security concern is virtuallization:

I'm a bigger threat to stability changing stuff in VMware than my hardware and filesystems are.

Ha. Same!

MakOwner

@stephenw10
My first recovery test of the new setup went .... badly.
I'll start another thread for that.

JKnott

@MakOwner

I'd go with bare metal. The more software running on a box, the greater the security risk. VMs are fine for experimenting, but I wouldn't use one for production. I run pfSense on the miniPC described in my sig. There are plenty of inexpensive similar boxes available.

JonathanLee

@MakOwner that is amazing, I only recently started to play with FreeBSD jails and docker containers. They are fun to work play with Kali has a docker container for pen testing. My greatest fear is a container gets inside of my web caching proxy. So now it has max size limits to mediate that risk. 3rd party unknown container issues are the biggest problem in cyber security right now, you can't scan for them, they self delete when you find one, they can data marshal a network card, plus the only way to find them is to use OS fingerprinting, and that let's face it needs a massive update to work right. It's a big problem.

michmoor

@bmeeks
I suppose its all comes down to what is the risk profile and the threat model derived.
Generally speaking, virtualizing a firewall isn't no more a security concern than virtualizing servers for dmz purposes.
How confident are you in the hypervisor? VMware for example, its safe to say there are very few concerns that it cant properly isolate guests.
Secondly, how confident are you in configuring the virtual appliance correctly? This is of course outside the threat scope of hypervisors but still.
As of today, 3/15/2024, there are no known risks to virtualizing a firewall short of improper design by an admin but that would have nothing to do with the technology itself. It would be like blaming pfsense on being accessed over the WAN because your management ports are accessible. Does that mean pfSense is an insecure firewall?

This is indeed a fantastic conversation of which we could have more of it in the future.

Gertjan

@MakOwner

While we all try to define what

How much of a security concern is virtuallization

I try to see this as a bucket full with well defined possible known items, and we're looking for the ones missing.
The eternal question is : do we have them all ?
Most items in the bucket are classified as the 'tools' we use.
But the biggest item is probably the one that observes the bucket : that's us, the one that is using the tools. I wouldn't be surprised that the most important security issue is : us.
We need a big bucket ^^

johnpoz

@JonathanLee said in How much of a security concern is virtuallization:

3rd party unknown container issues are the biggest problem in cyber security right now

Says who? The biggest threat to security, any sort of be it physical or cyber - Any and all types of security will always be the USER!! Period... You could have the best security on the planet, and a USER will find a way to screw it up..

Random text from unknown: We need your SSN, and 2FA auth key just sent to your phone to let you win a big prize!
user: Here you go!! Also for good measure my blood type is A+, how and when do I get my prize!

JonathanLee

@johnpoz our cyber security Professor told us the biggest issues right now are 3rd party containers because of the detection and mitigation issues, they can even self delete. It’s flat out invasive 3rd party containers. So today’s world they are becoming a huge issue and I personally agree. They are no joke they can and have been abused. Think about some getting inside the Windows RE partition for example, and or in a web cache. Think about how hard they are to scan for and remove and if you can’t do that how can you see what’s inside them or detect them on a network? Fingerprinting systems are decades behind where they should be, and other nation state actors know that. How can you mitigate that? You have had to use them and experiment around with containers by now right? I have I tested detection methods fingerprinting them, use a docker one with Kali on it and tried to run pf to fingerprint it while it was inside of a VM inside of a container on a host laptop to see if the firewall could see the fingerprint differences. I mean I really am into this stuff. The OS ACL options on the firewall really need an update. I have even tried to get FreeBSD to update them but it's a task to do that, it needs a team of people helping to supply the fingerprints for them.

Back the main post I personally like Hypervisor is supported more as Microsoft backs it, it works with Microsoft server also, but your running a firewall on a VM so bare metal or a detected appliance that runs multiple VMs like esxi VM ware does a lot of the support for those.

Think about white box set ups where you can push the VMs to all the white box systems at once too. VMs are amazing.

JonathanLee

@bmeeks I have 2 Tandy 102s Apple IIe, Macintosh SE and much more. My wife doesn’t like the horder tech tendencies I have

MakOwner

@michmoor

@michmoor said in How much of a security concern is virtuallization:

As of today, 3/15/2024, there are no known risks to virtualizing a firewall short of improper design by an admin but that would have nothing to do with the technology itself.

And there's where the biggest danger being me comes from.
Is there a STIG for hardening virtualized firewalls, pfsense in particular?

I tend to absorb a lot of information about subjects I'm interested in, but when it becomes chasing from document to document trying to figure the specific interplay between products..
My eyes quickly glaze over. And what I do pick up through brute force rarely sticks long anymore.
(You young guys will face this someday too, trust me.)

Finding end to end procedures for things like this just doesn't seem to be as straightforward as it once was.
I have no idea if that's just because things are that much more complicated, or there are just so many different permutations that one someone figures out their particular path ... it's just no longer shared.
Or maybe I'm not looking in the right places.