Virtual firewall



  • Dear friends,

    Is possible create the multiple firewalls on a single system?

    My idea:

    Install the pfSense on single host box (base in Xeon dual core 64 bits, 8GB RAM, 8 ports Gigabit, cf card 2GB) and create a 2 jails.

    In each jail, create a new instance of pfSense, wtich some configuration of the master host, but apply firewall only indivual ethernet port ou vlan.

    Regards.

    Thanks

    []
    Lima jr.



  • why would you want to do so?
    Keep it Simple, Sherlock!!!

    http://en.wikipedia.org/wiki/KISS_Principle



  • Hi,

    Simple, I needed two or more diferent instances of the firewall, isolate, with your own rules, nat, traffic controller, schedules, etc,.

    []s
    Sergio Lima



  • Isn't that something you could do with a single pfSense?

    If you'd give some information on what you are trying to do someone might be able to help you.



  • OK.

    I'm start project in my company.

    We create a firewall appliances for small, middle and large business and government instituitions. In first moment, I available two solutions: ComixWall (in beta stage) and pfSense (stable stable).

    I promoting roadmap about features requested in my customers and, pfSense has great majority features. During interview with some CIOs, the presence of Virtual Firewall is mentioned several times. Him describe this solutions is present in some concurrent (eg: Nokia, Checkpoint, Juniper).

    My leader have big interesting in this market and, this feature, should be in future.

    If needed more informations about virtual firewall, look: http://europe.nokia.com/A4153098

    Regards.



  • You may want to Google for Theo's rant on virtualisation and security (I generally find him OTT, but he has a point).  Running multiple security enforcement systems on a shared platform is, from a security perspective, not a good idea.  Instead of increasing security you're just adding complication and risk.

    IMO virtualisation is fine for reducing cost, improving the level of use of existing hardware and providing a degree of separation between processes that would have been running on the same hardware anyway.  As a security measure however it's at best doubtful.



  • Hi Cry,

    I know, but I mind of the CIOs, reduce cost about aquisition 2 or more firewall to individualization secure and manage different areas in your organizations is very expencive and, use two appliances in cluster mode (active/active), with four zones of the security, working in isolatated mode, is acceptable.

    In my opinion, is very dangerous, about all, the hardware can failure.

    Tell me, my idea of the use jails+vlans for build virtual firewal farm, is possible and consistent?

    Regards.



  • In general, the concept is possible, though not as far as I know with pfSense.  I've no idea what you mean by "consistent" though.

    Of course, it's also bad design to base your perimeter protection around a single firewall product (defence in depth etc).  I'd suggest that you put effort into a small presentation detailing the risks that this approach brings (and the costs of dealing with an incident as a result, including any legal issues, staff time and loss of productivity/corporate embarrassment) vs the savings of two less firewalls.



  • Ok,

    I explain this point in project document.

    During tests of the jails in pfSense, I send improvement to pfSense team.

    Thanks a lot.

    Regards.

    []
    Sergio Lima



  • Actually if you sponsor it there might be a configuration that works and does what you ask for!

    FreeBSD has vimage which gives you different net stack instances on the same hardware you can combine that with jails each running a fpfSense instance on each virtual stack and that gives you what you want and since nokia and juniper started from freebsd they can support such feature, and this is a wild guess, just cause of this feature in freebsd.

    vimage is only present on RELENG_7, so you have to wait till then or try to experiment yourself.

    Regards.


Log in to reply