Does VMWARE defeat the purpose of PF Sense?



  • Hi all.  New here and got really curious about PF sense.

    But something I'm really curious about, since you can run PF Sense in a virtual window within windows, doesn't that defeat the purpose of the firefall since it is running within a windows environment?

    If I have this mixed up some how, please let me know. I've only been reading about PF for the past couple of hours or so. :)


  • Banned

    You should spend some time reading the theory behind the way ESX/ESXi and VmWare virtual software are handled and how they relate to the underlying HAL layer or software running underneath.

    To give you a hint. A VM is completely isolated and does not have anything at all to do with the physical machine it is on. It only relates to the hardware presented to it by VmWare….



  • If you look at desktop virtualization first you might get highly confused.

    This is usually called workstation virtualization and is most for testing and developing purposes.

    When you have a fully fleged virtualization platform like ESXi / ESX / Xen you can see it more like a pool where you deploy your whole serverfarm (if you have it cluster based) and it´s totally irrelevant which server the virtual machine is running on.

    So if you had a 10 node virtualization cluster and your config is correct you would really never need a "standby / backup" server for anything.

    And the whole point of virtualization is to utilize the hardware underlying the configuration, I work a lot with high end customers on virtualization, and the same thing goes over and over again, 95% of all server seldom use more than 5% of the total CPU in the system, so why not jam 50 servers onto one server ?
    Saves space / cooling / power / cabling / maintenance :-)



  • CPU utilization is understandable.

    I'm very techy which is why I was curious about this, but not as intimate as most of you guys are.  Everyone knows Windowz has a lot of security holes and I had thought having PFSense in its own virtual environment would defeat any of the security it is able to apply since it is sitting on top of the windows environment.

    But as I continue to read on, I realize that this is not the case. :)



  • @Flybye:

    I had thought having PFSense in its own virtual environment would defeat any of the security it is able to apply since it is sitting on top of the windows environment.

    Not if you configure your real, and virtual, network adapters correctly.

    What you want to achieve, is that the real adapter, connected to the internet, is only used for the WAN side of pfSense.  Then the host Windoze system uses the WAN side of pfSense, for it's connectivity.

    But, remember, that there is that small opportunity, between Windoze starting, and then VMWare.

    Cheers.



  • @Flybye:

    CPU utilization is understandable.

    I'm very techy which is why I was curious about this, but not as intimate as most of you guys are.  Everyone knows Windowz has a lot of security holes and I had thought having PFSense in its own virtual environment would defeat any of the security it is able to apply since it is sitting on top of the windows environment.

    But as I continue to read on, I realize that this is not the case. :)

    Well, it sort of is, as you'll see from many other threads on the subject (some of which I've contributed to).  The VM platform, and Windows underneath, add complexity and will reduce the overall security.  If you are running a native VM platform (ie, no operating system underneath) and that platform was designed with security in mind then, and only then, have you not significantly decreased the security (but there's still going to be some increase of risk).

    In short, you shouldn't use assume that any VM platform can act as part of any security enforcing function.



  • I believe that pf should not be run in a vm for the same reasons as there will not be FreePFNAS. But thats just my opinion.

    http://forum.pfsense.org/index.php/topic,10201.0.html


  • Banned

    You should seriously consider doing A LOT more research before trying to be a wise guy….

    I would like to see you compromise a VM running PFSense. Pls. post the logs here... when you are done!

    @XIII:

    I believe that pf should not be run in a vm for the same reasons as there will not be FreePFNAS. But thats just my opinion.

    http://forum.pfsense.org/index.php/topic,10201.0.html



  • @Supermule:

    You should seriously consider doing A LOT more research before trying to be a wise guy….

    I would like to see you compromise a VM running PFSense. Pls. post the logs here... when you are done!

    And we'd love to see your evidence that running any OS inside a VM does not increase the risk.  XIII isn't being a wise guy in this case, it's you that is.

    If you do a little research you'll find that there are lots of papers on the security implications of virtual platforms and a history of serious vulnerabilities going back over 5 years.  Some of those will allow you to compromise the underlying host, at which point it's "game over" for the guest since the underlying host has full control of it.  There are even vulnerabilities in drivers allowing remote code execution on the underlying OS.  Heck, there are published vulnerabilities in some hardware allowing you to compromise a host regardless of the security of the OS running on it.

    If you're running an operating system, then a virtualisation platform, then a guest then you have 4 layers that can introduce vulnerabilities.  Running directly on hardware drops those layers to 2 - by half.  That can only be a good thing if you stop and think about it.

    Now, some platforms are better than others.  Any that remove the requirement for an underlying OS and run directly on hardware remove one layer of risk and have the potential to be less insecure than those that require an underlying OS.  None of them are as good as running your host directly on the hardware however, and that's unlikely to change in the immediate future.


  • Banned

    Well….you are saying.....nothing......you are just commenting on layers....and 2 layers are better than 4....

    I shall prove nothing. You are the one saying that it is less secure....So it must be you that should prove things... ;) One could imply that running 4 layers are better than 2, because you have to hack 3 layers to get to the hardware, instead of 1 layer when run on the physical machine. :)

    So prove that PFSense can be compromised running in a VM.



  • I think you missed the point - with 4 layers a vulnerability in any lower layer can give you full access to the higher layers.  With 4 layers there are 3 layers that can give full control of the pfSense VM.  Also, as I said, not all VMs are equal - it'll be much easier in some than others.

    Try a little Google-Fu.  Review the results.  Review the posts here by myself and some of the developers.  Then consider whether or not we may have a reason for what we're saying.  If you decide to carry on assuming the world is flat virtual systems are all secure then that's your choice.


  • Banned

    Geesus…..So you hack your way in from the bottom up? Once you have compromised the VM, then you get to the hardwarelayer of the VM. Where do you go from there?? I know you can compromise a Windows machine running Workstation/server VM, but that is a flaw in windows combined with VmWare tools. Patched allready by the way...

    I am not saying it is all secure, but no one has pointed me in a direction where I can locate information regarding running PFSense in a VM and security flaws in VmWare. So maybe its your world that is flat....not mine. ;)



  • I just dont believe that a device/software application that is supposed to be securing a network or any device should be hosted in a VM. All that has to happen is the host OS be compromised then you can go after the files/programs on that OS including the VM.

    Its not neccesarily pf that is the flaw but the vm software or host, you hack the host and you have access to all VMs and other software running on it plus the files.

    Like Cry Havok said, there are ways to hack the hardware. which is why if you are running your wan and lan off a dual port card or have them in the same slot group (Each PCI slot is either a master or a slave and when in that mode act as a hub) you are putting yourself at risk. granted it is rare for the hardware attack but it is there. (Found this info with some googleing from various sources), the attack is similar to VLAN hopping.
    I was going to do this and mount everything in a Tivo case but security is more important to me than space/convenience


  • Banned

    VLAN hopping….How would you say it compares to the scenario of running pfsense in a VM with untagged traffic on the physical switch??



  • I wasnt referring to a VM but to the hardware exploits of nics. Because on a dual nic or with cards that share the same bus (master/slave) one can go from the one nic to the other via a hardware hack/exploit, it is hard to do but is possible.


  • Banned

    Yes but the NIC's belonging to the VM is virtual….and sitting on a virtual switch.

    So again....you have to have access to the hardware on the console to get to the underlying host if not running Windows. The way ESX/i works, you cant communicate to the physical hardware via a VM. You have to gain access to a Vcenter server or the physical console.

    That is why its usually run on a network with no outside access at all. You cant see the admin interface in the hardware for the VM. It is not connected to the same switch as outside traffic. Furthermore, in my case, all servers are handled by layer7 inspection when communicating internally. So even the internal traffic is analyzed :)

    Currently I have no issues running PF in a VM on a hardened ESXi. I have had a lot of people trying to get in, but all have failed. PF does a very good job, and a very good thing about running PF in a VM, is that it allocates ressources on a need to basis. Therefore you wont be so vulnerable to DoS attacks and running out of ressources like you would on a physical machine.

    @XIII:

    I wasnt referring to a VM but to the hardware exploits of nics. Because on a dual nic or with cards that share the same bus (master/slave) one can go from the one nic to the other via a hardware hack/exploit, it is hard to do but is possible.



  • I say it all depends on how critical the data you're in charge of protecting is. If some exotic method of cracking into your data is enough to scare you away from sticking pfsense in a vm, then you are probably working with something worth spending some money on protecting that will give you "better" results.

    If you're simple worried about someone gaining access to your systems and wreaking havoc, well you should have a solid backup / dr plan anyway :P.

    Microsoft, Citrix, and VMWare aren't going to allow their virtualization products to run around wildly with known exploits unpatched and vulnerable. Speaking of patch management… well you can probably guess what I'd say.


  • Banned

    Exactly…..:D



  • Well thanks guys.  You all gave me a lot to read. :)

    The server has nothing "business" critical on it.  I'm basically just planning to build a file server at home so the whole family can access shared pics, music, and anything else I put on it.  I've been thinking of a box with multiple Raid 1s on it (e.g. a raid for family photos, another for music/family videos, etc), but at the same time, this box will be a game server since I still have the occasional Lan party at home.  And I will have multiple NICs on it.

    So basically, this box will always be on, and since it will be, I figured why not also transform it into a dedicated firewall and ditch the wall I have in the DSL modem.  pfSense is probably over kill, but since it will house important personal things on it, I figured why not give it a go.

    I've been playing around with pfSense these past few days, and wow, does it have options!



  • Instead of running multiple RAID1's I would advice you to concider running RAID5 or RAID6 in hardware, much less overhead, in practice, just as good failure protection.


  • Banned

    Nope…..Raid5 sucks on large drives....Raid10 is the optimal solution on the hardware. Raid1 if running on 2TB physical drives due to the 2TB LUN limit in VmWare.



  • @Supermule:

    Nope…..Raid5 sucks on large drives....Raid10 is the optimal solution on the hardware. Raid1 if running on 2TB physical drives due to the 2TB LUN limit in VmWare.

    Indeed, however for those of us who are not used to SATA-drives in such a config (usually not supported) we usually have 146->300GB drives, and then a RAID5 is the most logical solution ;-)


  • Banned

    Depending on hardware, 2TB is supported on most of the newer servers. :) But I know what you mean.

    If storage is an issue, and most of the time it is, then Raid5 is useful. However VERY vulnerable to complete loss of data…..

    @eirikz:

    @Supermule:

    Nope…..Raid5 sucks on large drives....Raid10 is the optimal solution on the hardware. Raid1 if running on 2TB physical drives due to the 2TB LUN limit in VmWare.

    Indeed, however for those of us who are not used to SATA-drives in such a config (usually not supported) we usually have 146->300GB drives, and then a RAID5 is the most logical solution ;-)



  • Some very smart people have said ANY virtualization on x86 platforms is going to have security issues.  Now they may be purely theoretical, but there's a fine line between theory and reality when you're betting important data on it.

    I put in lots of firewalls.  Mine are all openbsd.  I have always been interested in this project though.  Yes I have run pfsense in vm's to check it out.

    But I'm simply not willing to put important perimeter security devices in vm's for production.  I consider that a flawed approach to security.  You will be much safer to run production firewalls on the metal.


  • Banned

    Do you actually have a clue of what you are talking about here??

    The short version, is your wrong….

    The long one is here.

    @tbmay:

    Some very smart people have said ANY virtualization on x86 platforms is going to have security issues.  Now they may be purely theoretical, but there's a fine line between theory and reality when you're betting important data on it.

    I put in lots of firewalls.  Mine are all openbsd.  I have always been interested in this project though.  Yes I have run pfsense in vm's to check it out.

    But I'm simply not willing to put important perimeter security devices in vm's for production.  I consider that a flawed approach to security.  You will be much safer to run production firewalls on the metal.



  • LOL

    Well…I'm not going to read my resume but yes....I've been around the block.

    Hey....you guys can do what you want.  I'm just telling you I'm not crazy about running my perimeter security on a vm.



  • Hi Guys
    regaring raid1.  I lost more than 16 years movies at home loosing one of my HDD's.  I now stick to raid5.  Slower, but I can loose a drive and still rebuild the raid.  Actually, lately (I run XBMC-LIVE) I decided it is cheep enough to build a duplicate machine and I use rsync (WHAT A UTILITY!) to sync the 2 systems.  No more raid, only HDDS…

    Regarding VM's.  I do not claim to be an expert, but I run 2 VM's in my business.  It is a huge saving on resources and very stable (ESXi4.1) .  I run various OS's over the configuration.  I do see attemted break-ins, but never actually got one (that I know of  ;))

    My business is NPO of nature and every cent/sent needs to be turned over before spent.  VM's did this for us.

    I would also like to say (please don't slagg me on this) I run my live firewall on PFBeta2!  It works and it works well.  My previous solution (14 years old) was way more buggy than PFB2 and the trade-off worth it.  I did get some break-ins on my previous FW, but so far, so good :)

    Kind regards
    Aubrey Kloppers



  • The past few days I've been running my pfSense 2.0 in VirtualBox on a Windows 2008 R2 server housing 6 TB of important data.  Now this is all personal stuff in my home, and I would never do this in production for any company at this point.  But I wanted to point out that by not associating any protocols with my dedicated WAN network adapter that isolates my host OS (Windows 2008 R2) from the internet very effectively.  I virtualized in order to save on electricity.  For anyone wanting to do the same and has a windows based server or htpc and is also hurting on the electric bill…you may have had the same thought as me.  That's why I wanted to put this out there.  I've been working with computers a long time and this strikes me as a quick and simple enough solution for home use.


Locked