Rich Freeman on 13 Apr 2013 03:32:53 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Embedded 3-Port Firwall?

On Fri, Apr 12, 2013 at 11:13 PM, Casey Bralla <> wrote:
> I've been leary of running a firewall in a virtual machine since I'm afraid
> the bad guys might be able to "jump" from one VM to another.  OK, I know
> that's silly, but it always seemed "cleaner" to me to have the firewall as a
> physically separate machine from my regular servers.
> Obviously, you've had no problems though, so I guess I'll reconsider that
> prejudice.

I wouldn't call that a "prejudice."  With a physical hardware firewall
those who want to bypass the firewall must find an attack against the
software or hardware on that firewall.  With a VM firewall those who
want to bypass the firewall have the additional option of finding an
attack against the VM software, the host OS, or any additional
hardware that might be exposed via these to the VM that would
otherwise not be present.  (I'm setting aside attacks against
hosts/software that are allowed to pass the firewall - these are the
same in both cases.)

Sure, virtualization vulnerabilities have been rare, but they do come
up, and they certainly can do so in the future.

If you're going to consider a virtualized firewall I think you need to balance:
1.  Any costs you think you will save.
2.  The convenience of not actually having to wire up all the
connections between the various VMs on the host.
3.  Since virtual networks are easy to set up and a virtual firewall
can have an essentially unlimited number of network interfaces,
consider any security gains you'll have due to better isolating your
DMZ hosts/etc.
4.  The security risk of potential flaws in the VM environment.

#3 really is just another element of cost, but it is potentially a big
one.  If you set up a hardware firewall chances are you'd at best have
a single DMZ network, if that.  If you virtualize it you could give
every host in the DMZ its own private network and all communications
between DMZ hosts, LAN hosts, and the internet all have to go back
through the router (and you might extend the same to servers on the
LAN).  I doubt most would bother with the cost of setting that up with
a hardware firewall.

If you look at it in terms of security opportunities as well as
threats the VM might start to make a lot more sense.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --