9
7
Googling found me people saying running a firewall/router as a virtual machine is "dangerous" but none of them gives any reason as to why it is so. I also found posts from people who are successfully running firewalls as on a virtual machine.
Does anybody have any experience with this?
What would be the pros or cons of running a firewall/router on a virtual machine in something like proxmox vs ob a physical machine?
Nithin
Posted 2014-03-11T10:25:15.990
Reputation: 193
11
Really the right way to do things is the opposite of how you are approaching, if security is a paramount concern. You'd want to run the router/firewall on the bare metal, and host a VM within that for standard desktop or server usage.
Forgive my crappy MS Paint illustration.
If you bridge the VM's NIC and the LAN NIC (from the bare metal OS), they can appear as the same "LAN" interface for the purposes of firewalling or routing.
Most of the security issues would be if someone were to go up to the console while this is running and disable your router/firewall VM or disable bridging/unbind your NIC from the VM - or if someone were to remote into the system and do that. There's a possibility, as always, that malicious software could do something wacky.
You could do this, and use any VM software if you wanted, but the disadvantage is if you use something like ESX, you'll need to RDP into the desktop VM instead of directly accessing via console.
LawrenceC
Posted 2014-03-11T10:25:15.990
Reputation: 63 487
3
There are commercial products like Check Point former "VSX" Systems which serve "virtual firewalls" on a given hardware base. If we talk about VMWare or better cloud based firewalling. You setup a firewall "in" the cloud to segment the "internal" cloud "network" not the communication between a cloud and another network.
The performance is very limited and the performance in a cloud is shared. An asic-based firewall can do > 500GBps. A VMware based Firewall or switch does < 20GBps. To the statement LAN NIC could catch a flu from wire. You also could state that any intermediate device like switch, router, ips could also get exploited by in-transit-traffic.
We see this in "malformed" packets (aka frames, fragments, segments etc.) So one could state using "intermediate" devices is insecure. Also the German NIST called BSI stated some years ago that the virtual routers (like VDCs (Virtual Device Context - Cisco Nexus)) and VRF (Virtual Route Forwarding) is insecure. From a point of view, sharing resources is always a risk. User can exploit resources and reduce service quality for all other users. Which globally would place the whole VLAN and overlay technologies (like VPN and MPLS) in Question.
If you have really high demands on security I would use dedicated hardware and dedicated network (including dedicated lines!) If you ask if the hypervisor (especially in bare metal) is a special security problem in a common scenario... I would say no.
user306846
Posted 2014-03-11T10:25:15.990
Reputation: 31
I am finding it a little difficult to understand everything you said... here is what I understood correct me if I am wrong.
So you say that virtual firewalls are used to protect the virtual machines and their virtual networks from the host network just like virtual machines use virtual switches/routers etc.
ASIC or dedicated firewalls perform better than virtual ones.
I didnt quite understand the last paragraph. :( – Nithin – 2014-03-11T15:50:51.310
2
Typically, a virtual machine is connected to the network via a bridged connection (i.e. networking goes through the physical computer it's running on). To use the VM as a firewall means that all traffic can come in to the physical computer, then the packets are sent to the VM, filtered and then sent back out to the physical computer. Since the physical computer can take unfiltered packets and is responsible for distributing the packets to the rest of the network, this is exploitable to send unfiltered packets around the network.
Hugo Buff
Posted 2014-03-11T10:25:15.990
Reputation: 266
1Wont this problem be solved by binding a physical NIC directly to the VM instead of using a virtual NIC for the VM at least for the RED interface? – Nithin – 2014-03-11T10:55:30.077
If your desktop is running on the bare metal, and your firewall is not, traffic going through your firewall still has to pass through the desktop OS before being examined by the firewall. So the firewall gives less protection here. – LawrenceC – 2015-03-21T17:34:10.500
upvoting you for the not-so-crappy paint illustration... thank you for your effort....
This approach would stop me from using most of the virtualization distros right? Particularly the likes of proxmox or vmware esx... – Nithin – 2014-03-11T15:41:17.410
IIRC Proxmox is based on Linux - and you can just configure your routing and firewall outside of any VM on that. There's no way to get outside of any VM on ESX AFAIK except a diagnostic mode so you probably don't want to use that. However, running two VM's "side by side" in ESX, where one is a "front end" for another (your "desktop VM" would only have a virtual NIC that's connected to the "firewall" VM), would be OK. The "desktop VM" couldn't directly do anything to the hypervisor in that case. – LawrenceC – 2014-03-11T16:41:53.363
I am planning to go with proxmox... I was planning to use something like ipfire or clearos... but if I have to install it on proxmox... I dont think I'll be able to use any of those either :( Also, is there a way to do something like diagram 2 with proxmox? Wouldnt diagram 2 scheme have the issues u mentioned in paragraph 3? – Nithin – 2014-03-11T17:15:12.063
Basically, if your router/firewall is in a VM, and your desktop is in a VM "behind" it, it's fine. If you are trying to setup a router/firewall VM "within" a desktop NOT in a VM is where security could be an issue. Diagram 2 is possible with Proxmox if you set up 2 VMs - one for your firewall/router VM and another for your desktop VM. – LawrenceC – 2014-03-11T17:49:03.843
That comment confuses me... correct me if I am wrong... If the firewall/router is in a virtualization server like proxmox or vmware ESX, there are no security issues. But if the firewall/router is in something like virtualbox in a full fledged desktop, the security issues u mentioned applies. What I am trying to setup is diagram 2 with other VMs and physical machines in the network connecting to the firewall's virtual LAN NIC for access to wan... does this scenario have the security issues? – Nithin – 2014-03-11T18:25:20.663