1

i was reading this discussion: Is there danger to virtualizing a router?

I'm in charge of mantaining several firewall installed in different SMB organization 10-100 user. We're installing Endian or PfSense on custom hardware. Unfortunatly (espcially with endian) when i try to restore the config on a different hardware i run in several problems (different NICs etc).

So i was thinking about virtualing the firewall to introduce a level of abastraction from the physical layer making the machine "hardware indipendent".

PRO:

  • Hardware indipenent
  • Easy to scale
  • Easy to backup

CON:

  • Performance (worst than physical)

The performance (in my scenario) wouldn't be an issue

I'm concerned about possible security risks what do you think about it? Which Hypervisor do you reccomend (and why)? Some other consideration to be made?

Thanks for your kind reply

Community
  • 1
eldblz
  • 375
  • 2
  • 11
  • 21

2 Answers2

1

This is a little late for the original poster, but for anyone else reading...

I would stick with pfSense from the ones you mentioned. I've deployed pfSense on Netgate's hardware, virtualized in ESXi and on custom firewall appliances that meet the minimum hardware specs from pfSense requirements page. For security you won't have any issues virtualizing that you wouldn't also have with dedicated hardware as long as your ESXi configuration is setup properly. At least that has been my experience. You will still run into issues with restoring configs if you ever have to restore to a VM that is on a host with different network hardware and software setup.

I recommend staying away from virtualizing the firewall. It adds a lot of complexity to the setup that can become a problem if you ever need to scale to have multiple ESXi host in high availability setup and using vSAN. Read up on how to setup the basics for clues and then try to map out how to keep pfSense virtualized in the mix. Its possible, but not worth the effort when you've just increased the complexity beyond the troubleshooting abilities of the average admin.

When the setup is simple as a single or isolated host, virutalzing works well. When host are or might become setup for HA, having pfSense virtualized complicates the setup. For redundancy, unlike desktop and laptop computers, firewall appliances don't become obsolete quickly. With that said, you can configure two pfSense hardware appliances for HA. And even in that case i recommend a spare on the shelf for when mother nature sends more joules across your grid than your surge protectors can handle.

jtlindsey
  • 303
  • 1
  • 6
  • 15
0

What's wrong with using a purpose-built appliance like a Cisco ASA 5505 or 5510 firewall? The former is inexpensive, has good industry mindshare and certainly doesn't have the issues you're encountering with hardware compatibility... How much do you value your time?

As for your current problems, can you isolate the problem to specific device drivers? Why are you in a situation where you need to restore the configuration? Hardware failure? Is there a reason the customized hardware you're using is changing from standard? If you're happy with PFSense, it may make sense to try to solve these problems.

For a virtualized solution, I'm used to seeing people use VMware ESXi for this purpose. The hypervisor's network stack is mature and performance, throughput and stability aren't an issue. But now the burden is on your virtualized hardware and making it robust enough. I think your cost and complexity would increase.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • We're happy with pfsense and endian, unfortunately our hardware vendor change often NICs. We can change it but we've many firewall already deployed so i was trying to find a solution for those. – eldblz May 15 '13 at 10:17