Virtual Firewalls?

K

killerasp

Gawd
Joined
Jul 17, 2001
Messages
963
so with all this hoopla on virtualizing storage and stuff, i thought..why not virtualize firewalls?

does any firewall manufacturer make any appliance capable of virtualizing the security layer?

i found some stuff on Nokia checkpoints (http://europe.nokia.com/A4153098). anyone have any experience with this type of virtualizing?
 
The firewall is one thing I prefer not to virtualize for my customers. I really like CheckPoint firewalls for the enterprise, but they are one of the most expensive firewalls you can buy.
 
MorfiusX said:
The firewall is one thing I prefer not to virtualize for my customers..
Click to expand...

I'd lean away towards it too....I built the virtual Untangle a long time ago ..just to dork with it. But overall, at least for the small to medium business network field...I'm not interested in VMs. Supports whatever "host" machine needs to be rebooted or something....whatever other VMs are running on it..get the ax. Prefer to keep things separate, simply for the fact of...if something needs a reboot, it won't impact other services.

Plus I see VM vulnerabilities being something more common down the road. Even though, on paper, you unbind that NIC from the host OS or others sharing that physical box...dunno, just doesn't sit right with me.
 
killerasp said:
so with all this hoopla on virtualizing storage and stuff, i thought..why not virtualize firewalls?

does any firewall manufacturer make any appliance capable of virtualizing the security layer?

i found some stuff on Nokia checkpoints (http://europe.nokia.com/A4153098). anyone have any experience with this type of virtualizing?
Click to expand...
The virtualization of firewalls is nothing new, ive personally been doing it for around 5 years. I only virtualizate them for test purposes, though I have used them to create enclaves in my virtual environment.

Any *nix firewall distribution can be virtualized, cisco ASA, cisco PIX. I havne't really seen any other hardware firewall appliances virtualized though. You can also check on vmware's website, in their virtual appliance section for a ton of firewalls already built.

YeOldeStonecat said:
Plus I see VM vulnerabilities being something more common down the road. Even though, on paper, you unbind that NIC from the host OS or others sharing that physical box...dunno, just doesn't sit right with me.
Click to expand...
They're going to be just as common as the vulnerabilities(and the same infact) as they would be on a standard dedicated hardware platform. Why does it not sit right with you? Virtualazation and thin client computing is the future bud, get used to it.
 
xphil3 said:
The virtualization of firewalls is nothing new, ive personally been doing it for around 5 years. I only virtualizate them for test purposes, though I have used them to create enclaves in my virtual environment.

Any *nix firewall distribution can be virtualized, cisco ASA, cisco PIX. I havne't really seen any other hardware firewall appliances virtualized though. You can also check on vmware's website, in their virtual appliance section for a ton of firewalls already built.

They're going to be just as common as the vulnerabilities(and the same infact) as they would be on a standard dedicated hardware platform. Why does it not sit right with you? Virtualazation and thin client computing is the future bud, get used to it.
Click to expand...

Yeah, what i was thinking of actually virtualizing the the appliance, being able to increase capacity by adding another appliance to the cluster and distributing the load. The servers/clients would not know there are 10 dedicated fw appliance sharing the load, to them, its only one device.
 
xphil3 said:
They're going to be just as common as the vulnerabilities(and the same infact) as they would be on a standard dedicated hardware platform. Why does it not sit right with you? Virtualazation and thin client computing is the future bud, get used to it.
Click to expand...

Moreso of a risk IMO, a vulnerability on a hardware appliance may occur if you have WAN management enabled, weak password. But operating system vulnerabilities can occur..just sitting there. VMWare is an operating system. To have an external (red) NIC sitting within it...can be (most likely already has been) a risk.

Google "VMWare exploits"
I had 387,000 results right now. Seems to be not quite "as common as the vulnerabilities...hardware platform"...but far surpassing already.

It's become "trendy" with IT people over the past couple of years, I'm not hooked on it. My business colleague is a fully certified VMWare partner, he's trained and has done some huge setups, so I've seen it quite up close in some beefy setups. It has its place...for big setups, but IMO, I wouldn't let a red NIC touch it.

What's thin client have to do with it? If you've been in the IT industry long enough...you've seen it come..and go..and come..and go.
 
killerasp said:
Yeah, what i was thinking of actually virtualizing the the appliance, being able to increase capacity by adding another appliance to the cluster and distributing the load. The servers/clients would not know there are 10 dedicated fw appliance sharing the load, to them, its only one device.
Click to expand...
totally possible, as long as the firewall support clustering or HA. pfsense + carp... check it out
 
YeOldeStonecat said:
Moreso of a risk IMO, a vulnerability on a hardware appliance may occur if you have WAN management enabled, weak password. But operating system vulnerabilities can occur..just sitting there. VMWare is an operating system. To have an external (red) NIC sitting within it...can be (most likely already has been) a risk.

Google "VMWare exploits"
I had 387,000 results right now. Seems to be not quite "as common as the vulnerabilities...hardware platform"...but far surpassing already.

It's become "trendy" with IT people over the past couple of years, I'm not hooked on it. My business colleague is a fully certified VMWare partner, he's trained and has done some huge setups, so I've seen it quite up close in some beefy setups. It has its place...for big setups, but IMO, I wouldn't let a red NIC touch it.

What's thin client have to do with it? If you've been in the IT industry long enough...you've seen it come..and go..and come..and go.
Click to expand...

Here we go again... There are FAR more vulnerabilities for ANY of the common operating systems vs VMware software, software... VMware makes software, not the operating systems. With that said, VMware ESX is built off of a severly stripped down version of redhat enterprise.. so any vulnerabilities that may lie in the extremely limited features that vmware has included in its build using RH enterprise will obviously effect its product.

If you researched your google hits a bit more you would find that there are no current vulnerabilities(everything is extremely stale!) to the software, everything has been patched. VMware very much does their due-diligence. Like all software, there will be vulnerabilities, if you don't think that then just stop reading. d

Secondly, virtualization is NOTHING new.. its been around for the better part of 30 years. I remember you being one of the forum members that would always boast about how you're an oldtimer in the field, then you should know that virtualization is NOT a trend, and it never will be. 'Nuff said.

What I was refering to with thin clients was their ability to manipulate virtual machines. All businesses want a smaller foot print, including the federal government.

Lastly, I want to point out that you have a very good point about red and green interfaces residing on the same virtual switch fabric. If you do proper network segmentation this is not an issue what so ever(either physical segmentation or virtual.. which is what this thread is about), and this has passed several federal tests conducted by the best security consultants in the industry. If you're that paranoid, put in 1 NIC per security enclave that you want to define. Also, want to point out that simple vlan hopping techniques have been proved to be non-functional on the vswitch(double tagging, switch spoofing, CAM flooding, etc).
 
xphil3 said:
Here we go again... There are FAR more vulnerabilities for ANY of the common operating systems vs VMware software, software... VMware makes software, not the operating systems. With that said, VMware ESX is built off of a severly stripped down version of redhat enterprise.. so any vulnerabilities that may lie in the extremely limited features that vmware has included in its build using RH enterprise will obviously effect its product.

If you researched your google hits a bit more you would find that there are no current vulnerabilities(everything is extremely stale!) to the software, everything has been patched. VMware very much does their due-diligence. Like all software, there will be vulnerabilities, if you don't think that then just stop reading. d

Secondly, virtualization is NOTHING new.. its been around for the better part of 30 years. I remember you being one of the forum members that would always boast about how you're an oldtimer in the field, then you should know that virtualization is NOT a trend, and it never will be. 'Nuff said.

What I was refering to with thin clients was their ability to manipulate virtual machines. All businesses want a smaller foot print, including the federal government.

Lastly, I want to point out that you have a very good point about red and green interfaces residing on the same virtual switch fabric. If you do proper network segmentation this is not an issue what so ever(either physical segmentation or virtual.. which is what this thread is about), and this has passed several federal tests conducted by the best security consultants in the industry. If you're that paranoid, put in 1 NIC per security enclave that you want to define. Also, want to point out that simple vlan hopping techniques have been proved to be non-functional on the vswitch(double tagging, switch spoofing, CAM flooding, etc).
Click to expand...

nice post. i couldnt have better said it myself.
 
xphil3 said:
Here we go again... There are FAR more vulnerabilities for ANY of the common operating systems vs VMware software, software... VMware makes software, not the operating systems.
Secondly, virtualization is NOTHING new.. its been around for the better part of 30 years. I remember you being one of the forum members that would always boast about how you're an oldtimer in the field, then you should know that virtualization is NOT a trend, and it never will be. 'Nuff said.
Click to expand...

Where does this "again" come from? Read AGAIN what I said. I did not compare the vulns of VMWare to the common Windows operating system...no sh|t captian obvious that it has far less than Windows. :rolleyes:

My point was...a hardware appliance, with nothing exposed on the outside (not even remote management)...versus software that yes while vulns are relatively few, and patches are released..it's still something that needs patching. Fact..there is more of a chance of it getting exploited than hardware NAT box with nothing exposed on the wild side.

Nor did I claim it was brand new. Please point out where I stated that. What I said (clearly, and in English...I thought) .."It's become trendy...over the past couple of years." I said that because of several factors that have risen over recent years..such as more free offerings of packages, and the horsepower of hardware having risen to the point of decent performance becoming a reality (IE dual/quad cores, etc)
 
YeOldeStonecat said:
Where does this "again" come from? Read AGAIN what I said. I did not compare the vulns of VMWare to the common Windows operating system...no sh|t captian obvious that it has far less than Windows. :rolleyes:

My point was...a hardware appliance, with nothing exposed on the outside (not even remote management)...versus software that yes while vulns are relatively few, and patches are released..it's still something that needs patching. Fact..there is more of a chance of it getting exploited than hardware NAT box with nothing exposed on the wild side.

Nor did I claim it was brand new. Please point out where I stated that. What I said (clearly, and in English...I thought) .."It's become trendy...over the past couple of years." I said that because of several factors that have risen over recent years..such as more free offerings of packages, and the horsepower of hardware having risen to the point of decent performance becoming a reality (IE dual/quad cores, etc)
Click to expand...

Okay, first off dino... calm down. I don't want you to have a heart attack. I think you AGAIN need to read what I wrote. You really don't understand virtual networking, do you? Generally, we have ONE NIC or a trunked and channeled set of NICs thats tagging frames. You technically have a RED vlan, and like I put it, the vswitch has been proven to be very secure for what it is.

Lets just say, we have 2 NICs, one Red and one Green... you then have given your environment that you have tied to a virtual appliance(red vlan tied to red NIC, green vlan tied to green NIC, or you can even put each NIC on a seperate vswitch) the SAME EXACT security as it would it it was a REAL device. You need to read about virtual network my friend, do you homework!!!!!!!!!

BUT, in most cases.. you will have a NON-colored NIC tunked to a switch which would terminate some sort of ISP connection.

Appologies for the trendy thing, I thought that you were saying virtualization is just a trend.. implying that it will come and go. Ive heard people say that about linux before :rolleyes:. When I said again, I was referring to me having to have this conversation with someone that doesn't know much about virtualization and listen to their pointless bashing.
 
//yawn :rolleyes:

Back to something interesting.....
Untangles new 5.4 release now supports installing the firewall as an application within Windows.

http://forums.untangle.com/showthread.php?t=4909

"5.4 includes a VM version of Untangle that runs out-of-line on any
Windows XP machine. Future releases will support other Window versions.
It installs on Windows XP machine on the network just like a normal
application (no need to be at the gateway - *any* Windows XP desktop will do)

It runs Untangle in a VM inside the Windows machine and uses what we call
our "re-routing" technology to re-route all inbound and outbound traffic
through the Untangle in the VM. This means it behaves just like a gateway
yet it runs on any machine on the network.
The net effect is that you get all the complete benefits of Untangle
and it installs like a Windows application, with no dedicated
hardware and no network reconfiguration."
 
YeOldeStonecat said:
//yawn :rolleyes:

Back to something interesting.....
Untangles new 5.4 release now supports installing the firewall as an application within Windows.

http://forums.untangle.com/showthread.php?t=4909

"5.4 includes a VM version of Untangle that runs out-of-line on any
Windows XP machine. Future releases will support other Window versions.
It installs on Windows XP machine on the network just like a normal
application (no need to be at the gateway - *any* Windows XP desktop will do)

It runs Untangle in a VM inside the Windows machine and uses what we call
our "re-routing" technology to re-route all inbound and outbound traffic
through the Untangle in the VM. This means it behaves just like a gateway
yet it runs on any machine on the network.
The net effect is that you get all the complete benefits of Untangle
and it installs like a Windows application, with no dedicated
hardware and no network reconfiguration."
Click to expand...

now if they (the security experts at untangle) feel that running it in a VM in a virtual "between the nic and the OS" type of way, how much moreso would ESXi be secure in hosting an untangle box?

i think you may have proven his point stonecat...

even though native seems most secure, i'd much rather trust a virtual appliance running in vmware or esx than in windows xp home sp1 for moms who email... just like you.... but apparently it doesnt' matter

i'm just more concerned about the performance of running untangle in my esxi box... its a pretty lightweight rig
 
goodcooper said:
now if they (the security experts at untangle) feel that running it in a VM in a virtual "between the nic and the OS" type of way, how much moreso would ESXi be secure in hosting an untangle box?

i think you may have proven his point stonecat...

even though native seems most secure, i'd much rather trust a virtual appliance running in vmware or esx than in windows xp home sp1 for moms who email... just like you.... but apparently it doesnt' matter

i'm just more concerned about the performance of running untangle in my esxi box... its a pretty lightweight rig
Click to expand...

I posted because it's interesting, and it fit the thread subject. I'd never run this on a production environment, esp with a Windows host.

I find the idea of VM very interesting, and due to my colleague being a VMWare certified partner, I've seen some pretty wicked setups on large scale, P==>V stuff, the big management console he runs up in our data center to manage all the VM boxes. Cool stuff, yeah.

I'm not sold on it for application in smaller business networks, if I ever utilized it on my clients, I'd only use it for lighter duty servers. I'd never VM SBS for example with some other beefy server in one box. I've already seen performance issues of stuffing beef server VMs on a single host. But for firewalls....eh eh, I'll pass.
 
YeOldeStonecat said:
I'm not sold on it for application in smaller business networks, if I ever utilized it on my clients, I'd only use it for lighter duty servers. I'd never VM SBS for example with some other beefy server in one box. I've already seen performance issues of stuffing beef server VMs on a single host. But for firewalls....eh eh, I'll pass.
Click to expand...

i feel the same way... but having this ESXi for free changes a lot of stuff (imo)... it at least makes me rethink how i want to implement a system
 
You must log in or register to reply here.
Back
Top