Does VMWARE defeat the purpose of PF Sense?
-
Hi all. New here and got really curious about PF sense.
But something I'm really curious about, since you can run PF Sense in a virtual window within windows, doesn't that defeat the purpose of the firefall since it is running within a windows environment?
If I have this mixed up some how, please let me know. I've only been reading about PF for the past couple of hours or so. :)
-
You should spend some time reading the theory behind the way ESX/ESXi and VmWare virtual software are handled and how they relate to the underlying HAL layer or software running underneath.
To give you a hint. A VM is completely isolated and does not have anything at all to do with the physical machine it is on. It only relates to the hardware presented to it by VmWare….
-
If you look at desktop virtualization first you might get highly confused.
This is usually called workstation virtualization and is most for testing and developing purposes.
When you have a fully fleged virtualization platform like ESXi / ESX / Xen you can see it more like a pool where you deploy your whole serverfarm (if you have it cluster based) and it´s totally irrelevant which server the virtual machine is running on.
So if you had a 10 node virtualization cluster and your config is correct you would really never need a "standby / backup" server for anything.
And the whole point of virtualization is to utilize the hardware underlying the configuration, I work a lot with high end customers on virtualization, and the same thing goes over and over again, 95% of all server seldom use more than 5% of the total CPU in the system, so why not jam 50 servers onto one server ?
Saves space / cooling / power / cabling / maintenance :-) -
CPU utilization is understandable.
I'm very techy which is why I was curious about this, but not as intimate as most of you guys are. Everyone knows Windowz has a lot of security holes and I had thought having PFSense in its own virtual environment would defeat any of the security it is able to apply since it is sitting on top of the windows environment.
But as I continue to read on, I realize that this is not the case. :)
-
I had thought having PFSense in its own virtual environment would defeat any of the security it is able to apply since it is sitting on top of the windows environment.
Not if you configure your real, and virtual, network adapters correctly.
What you want to achieve, is that the real adapter, connected to the internet, is only used for the WAN side of pfSense. Then the host Windoze system uses the WAN side of pfSense, for it's connectivity.
But, remember, that there is that small opportunity, between Windoze starting, and then VMWare.
Cheers.
-
CPU utilization is understandable.
I'm very techy which is why I was curious about this, but not as intimate as most of you guys are. Everyone knows Windowz has a lot of security holes and I had thought having PFSense in its own virtual environment would defeat any of the security it is able to apply since it is sitting on top of the windows environment.
But as I continue to read on, I realize that this is not the case. :)
Well, it sort of is, as you'll see from many other threads on the subject (some of which I've contributed to). The VM platform, and Windows underneath, add complexity and will reduce the overall security. If you are running a native VM platform (ie, no operating system underneath) and that platform was designed with security in mind then, and only then, have you not significantly decreased the security (but there's still going to be some increase of risk).
In short, you shouldn't use assume that any VM platform can act as part of any security enforcing function.
-
I believe that pf should not be run in a vm for the same reasons as there will not be FreePFNAS. But thats just my opinion.
-
You should seriously consider doing A LOT more research before trying to be a wise guy….
I would like to see you compromise a VM running PFSense. Pls. post the logs here... when you are done!
I believe that pf should not be run in a vm for the same reasons as there will not be FreePFNAS. But thats just my opinion.
-
You should seriously consider doing A LOT more research before trying to be a wise guy….
I would like to see you compromise a VM running PFSense. Pls. post the logs here... when you are done!
And we'd love to see your evidence that running any OS inside a VM does not increase the risk. XIII isn't being a wise guy in this case, it's you that is.
If you do a little research you'll find that there are lots of papers on the security implications of virtual platforms and a history of serious vulnerabilities going back over 5 years. Some of those will allow you to compromise the underlying host, at which point it's "game over" for the guest since the underlying host has full control of it. There are even vulnerabilities in drivers allowing remote code execution on the underlying OS. Heck, there are published vulnerabilities in some hardware allowing you to compromise a host regardless of the security of the OS running on it.
If you're running an operating system, then a virtualisation platform, then a guest then you have 4 layers that can introduce vulnerabilities. Running directly on hardware drops those layers to 2 - by half. That can only be a good thing if you stop and think about it.
Now, some platforms are better than others. Any that remove the requirement for an underlying OS and run directly on hardware remove one layer of risk and have the potential to be less insecure than those that require an underlying OS. None of them are as good as running your host directly on the hardware however, and that's unlikely to change in the immediate future.
-
Well….you are saying.....nothing......you are just commenting on layers....and 2 layers are better than 4....
I shall prove nothing. You are the one saying that it is less secure....So it must be you that should prove things... ;) One could imply that running 4 layers are better than 2, because you have to hack 3 layers to get to the hardware, instead of 1 layer when run on the physical machine. :)
So prove that PFSense can be compromised running in a VM.
-
I think you missed the point - with 4 layers a vulnerability in any lower layer can give you full access to the higher layers. With 4 layers there are 3 layers that can give full control of the pfSense VM. Also, as I said, not all VMs are equal - it'll be much easier in some than others.
Try a little Google-Fu. Review the results. Review the posts here by myself and some of the developers. Then consider whether or not we may have a reason for what we're saying. If you decide to carry on assuming
the world is flatvirtual systems are all secure then that's your choice. -
Geesus…..So you hack your way in from the bottom up? Once you have compromised the VM, then you get to the hardwarelayer of the VM. Where do you go from there?? I know you can compromise a Windows machine running Workstation/server VM, but that is a flaw in windows combined with VmWare tools. Patched allready by the way...
I am not saying it is all secure, but no one has pointed me in a direction where I can locate information regarding running PFSense in a VM and security flaws in VmWare. So maybe its your world that is flat....not mine. ;)
-
I just dont believe that a device/software application that is supposed to be securing a network or any device should be hosted in a VM. All that has to happen is the host OS be compromised then you can go after the files/programs on that OS including the VM.
Its not neccesarily pf that is the flaw but the vm software or host, you hack the host and you have access to all VMs and other software running on it plus the files.
Like Cry Havok said, there are ways to hack the hardware. which is why if you are running your wan and lan off a dual port card or have them in the same slot group (Each PCI slot is either a master or a slave and when in that mode act as a hub) you are putting yourself at risk. granted it is rare for the hardware attack but it is there. (Found this info with some googleing from various sources), the attack is similar to VLAN hopping.
I was going to do this and mount everything in a Tivo case but security is more important to me than space/convenience -
VLAN hopping….How would you say it compares to the scenario of running pfsense in a VM with untagged traffic on the physical switch??
-
I wasnt referring to a VM but to the hardware exploits of nics. Because on a dual nic or with cards that share the same bus (master/slave) one can go from the one nic to the other via a hardware hack/exploit, it is hard to do but is possible.
-
Yes but the NIC's belonging to the VM is virtual….and sitting on a virtual switch.
So again....you have to have access to the hardware on the console to get to the underlying host if not running Windows. The way ESX/i works, you cant communicate to the physical hardware via a VM. You have to gain access to a Vcenter server or the physical console.
That is why its usually run on a network with no outside access at all. You cant see the admin interface in the hardware for the VM. It is not connected to the same switch as outside traffic. Furthermore, in my case, all servers are handled by layer7 inspection when communicating internally. So even the internal traffic is analyzed :)
Currently I have no issues running PF in a VM on a hardened ESXi. I have had a lot of people trying to get in, but all have failed. PF does a very good job, and a very good thing about running PF in a VM, is that it allocates ressources on a need to basis. Therefore you wont be so vulnerable to DoS attacks and running out of ressources like you would on a physical machine.
I wasnt referring to a VM but to the hardware exploits of nics. Because on a dual nic or with cards that share the same bus (master/slave) one can go from the one nic to the other via a hardware hack/exploit, it is hard to do but is possible.
-
I say it all depends on how critical the data you're in charge of protecting is. If some exotic method of cracking into your data is enough to scare you away from sticking pfsense in a vm, then you are probably working with something worth spending some money on protecting that will give you "better" results.
If you're simple worried about someone gaining access to your systems and wreaking havoc, well you should have a solid backup / dr plan anyway :P.
Microsoft, Citrix, and VMWare aren't going to allow their virtualization products to run around wildly with known exploits unpatched and vulnerable. Speaking of patch management… well you can probably guess what I'd say.
-
Exactly…..:D
-
Well thanks guys. You all gave me a lot to read. :)
The server has nothing "business" critical on it. I'm basically just planning to build a file server at home so the whole family can access shared pics, music, and anything else I put on it. I've been thinking of a box with multiple Raid 1s on it (e.g. a raid for family photos, another for music/family videos, etc), but at the same time, this box will be a game server since I still have the occasional Lan party at home. And I will have multiple NICs on it.
So basically, this box will always be on, and since it will be, I figured why not also transform it into a dedicated firewall and ditch the wall I have in the DSL modem. pfSense is probably over kill, but since it will house important personal things on it, I figured why not give it a go.
I've been playing around with pfSense these past few days, and wow, does it have options!
-
Instead of running multiple RAID1's I would advice you to concider running RAID5 or RAID6 in hardware, much less overhead, in practice, just as good failure protection.
