13

I had read on a few forums about pfSense that said it was dangerous to virtualize pfSense. The reason that was stated was an attacker could use pfsense as a spring board for an attack on the hypervisor and then use that to gain access to the other virtual machines and eventually take everything offline.

It sounds crazy to me but is there shred of reality in that idea? Is running a router in a virtual server a bad idea?

ianc1215
  • 1,965
  • 7
  • 34
  • 55

3 Answers3

18

The arguments people generally have against that are security of the hypervisor itself, which history has pretty much proven isn't much of a concern. That could always change, but there haven't yet been any really significant recurring hypervisor security issues. Some people just refuse to trust it, for no good reason. It's not about attacking other hosts if someone owns the firewall, in that case it doesn't matter where it's running, and of all the things that are likely to get compromised, the firewall is WAY down the list unless you do something stupid like open its management to the entire Internet with the default password set. Those people have some irrational fear that there's going to be some magic "root ESX" packet sent in from the Internet through one of its bridged interfaces that's somehow going to do something to the hypervisor. That's extraordinarily unlikely, there are millions of more likely ways your network is going to get compromised.

Numerous production datacenters run pfSense in ESX, I've setup probably in excess of 100 myself alone. Our firewalls run in ESX. From all those experiences, the only couple slight drawbacks to virtualizing your firewalls are: 1) if your virtualization infrastructure goes down, you're not going to be able to get to it to troubleshoot if you aren't physically at that location (mostly applicable to colo datacenters). This should be very rare, especially if you have CARP deployed with one firewall per physical host. I do see scenarios on occasion where this happens though, and someone has to physically go to the location to see what's wrong with their hypervisor as their virtual firewall and only path in is down too. 2) More prone to configuration mistakes that could pose security issues. When you have a vswitch of unfiltered Internet traffic, and one or multiple of private network traffic, there are a few possibilities for getting unfiltered Internet traffic dropped into your private networks (potential impact of which would vary from one environment to another). They're very unlikely scenarios, but far more likely than making the same kind of screw up in an environment where the completely untrusted traffic is not connected in any fashion to internal hosts.

Neither of those should keep you from doing it - just be careful to avoid scenario 1 outages especially if this is sitting in a datacenter where you don't have ready physical access if you lose the firewall.

Chris Buechler
  • 2,938
  • 14
  • 18
12

There's a danger in anything being hooked up to the internet period.

To quote the immortal Weird Al:

Turn off your computer and make sure it powers down
Drop it in a forty-three-foot hole in the ground
Bury it completely; rocks and boulders should be fine
Then burn all the clothes you may have worn any time you were online!

Anything you expose to the outside world has a surface for attack. If you're running pfSense on dedicated hardware, and it gets compromised, your attacker now has a springboard to attack everything internally. If your pfSense virtual machine gets compromised, the attacker does have an extra attack vector - the hypervisor tools (presuming you've installed them) - with which to work, but at that point, your network's already compromised and you're in a world of hurt anyway.

So is it less secure to use a virtualized pfSense instance? Yes, marginally. Is it anything I'd worry about? No.

EDIT: After further consideration - if there is a specific error in pfSense of which I am not aware wherein it has issues with virtualized NICs that somehow creates a security flaw, then the above is invalid. I am unaware of such a vulnerability, however.

Driftpeasant
  • 3,207
  • 2
  • 20
  • 28
  • I'm not aware of any problems virtualizing FreeBSD and pf, which is 99% of what pfSense is (the important part anyway - the kernel/firewall module). Personally I would not do it in production though. – voretaq7 Dec 07 '11 at 19:34
  • Well yeah - it's not an ideal situation and can cause headaches with virtual switches, NICs, etc. out the wazoo. But as a security concern I think it's overblown. – Driftpeasant Dec 07 '11 at 19:38
  • Well for me the pfSense box is sorta of desposable anyway, this is for my "testing" network. I use this more for learning than production so risk is sort of low. Thanks for the info. – ianc1215 Dec 07 '11 at 19:53
  • +1 for the fun (but irrelevant) reference to Weird Al's [Virus Alert](http://www.youtube.com/watch?v=zvfD5rnkTws&ob=av2e). I normally don't upvote for frivolous reasons, but for some reason this one tickled me especially. – Steven Monday Dec 08 '11 at 02:29
  • It's not ENTIRELY irrelevant - it refers to having your machine connected online. :) – Driftpeasant Dec 08 '11 at 03:14
5

There is some inherent danger running anything within a virtual environment as well, regardless of what kind of server you are speaking of. I recently responded to a similar question. Since your router / firewall will already have access to your internal network there is no real reason to attack the hypervisor level - there are already much better attack vectors available.

The only reason I can really see going after the hypervisor is if your virtual machine is residing in a DMZ. From there you could go after the hypervisor and into a machine on the internal network. That isn't the use case you are describing.

Personally I keep a virtualized copy of my firewall for DR purposes. Using it isn't ideal but it is an option.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113