Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VMware - better security with vt-d PCI pass throug

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    4 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tubs
      last edited by

      Hallo,

      I know. A firewall should run on bare metal for security reason. If it runs in as virtual machine (VMware, XEN, …) the host could be attacked.

      But as a home user I also have to take care about the WAF (women acceptance factor). And here the possible number of boxes is limited. Additionally it saves energy to run couple of machines as virtual machine in only one box.

      Now I am interested in if it gives more security when the box supports vt-d PCI pass through and if I forward the NIC directly to the VM with pfsense? In this case the possibility to attack the host is reduced. Or am I wrong?

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        I don't know the specifics of VMware but it seems to me that "PCI passthrough" (where a guest operating system has exclusive control of a device) should overcome the objection to running firewalls in virtual machines: the host OS becomes vulnerable to attack if it is doing packet handling before the firewall.

        The passthough can help in configuration: the pfSense forums have a number of reports of people who have had trouble configuring their "virtual networking" in a VM environment.

        1 Reply Last reply Reply Quote 0
        • T
          Tubs
          last edited by

          @wallabybob:

          I don't know the specifics of VMware but it seems to me that "PCI passthrough" (where a guest operating system has exclusive control of a device) should overcome the objection to running firewalls in virtual machines:

          This is what I guess. Gut guessing means not knowing. So, I'm loocking for someone who knows if pci pass through of the NIC to the gues with pfsense will bring more security.

          1 Reply Last reply Reply Quote 0
          • M
            matguy
            last edited by

            In theory land, sure, VT-d might theoretically give you a lower attack surface, but in reality, it shouldn't be any more secure than a standard vNIC / vSwitch setup as long as your WAN connection doesn't also have the VMWare Service Console available on it, which it shouldn't.  In the theoretical order of attack surfaces, having a separate vSwitch with just the one pfSense firewall WAN side connected internally and a physical NIC should be the next best secure level; followed by a WAN port group and using VLAN's to separate out your WAN traffic.

            All of those, however, in reality land, should be perfectly secure, especially for a home.

            Someone correct me if I'm wrong, but I'm pretty sure that security hasn't been historically the main push for using pfSense on bare metal, but more of the performance in high bandwidth situations.  People might get the knee jerk reaction for security, or make that kind of decision based on a policy in a company, but there are relatively few, if any, attacks that would be exploitable because pfSense was running on a VM.  Now, there could be some kind of Denial Of Service attack that could possibly be exploitable, but I haven't seen any of those either.

            A lot of very large companies run servers on VMWare ESX hosts, some of these companies have very over-the-top security practices, and they're fine with VMWare.

            Unless you're worried about actually saturating a Gb NIC with traffic, I would not put out the extra expense nor effort to run the WAN NIC via VT-d.  At this point, I don't think anyone could point to a real reason to claim that networking in VMWare is insecure ("real reason" equals demonstratable exploits, not FUD.)

            Just to re-state, though, please don't advertise your VMWare Service Console to the outside world, though.  That's not secure.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.