Lee H. Marzke on 15 Apr 2013 08:42:00 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Embedded 3-Port Firwall?

Many large (say fortune 1000) companies run multiple security zones in their vmware clusters so there better not be a vmware guest escape exploit.  VMware has compaigned that the old "air gap" standard between zones doesn't make sense in most situations because efficient hw use is difficult, and better security is possible in the all virtual envirinment.

Vmware encourages best practices such as hardning and using their own virtual firewalls.  These firewalls (part of vmware networking and security) support both internal (zone firewalls) and perimeter firewalls.  If a vm is migrated between hosts the rules follow it in real time.  This avoids  human mistakes in security rules for a move. Their claim is better security by using many firewall zones and even inspecting traffic (for instance to detect SSN's in the data stream between VM's that isn't expected. )

Also if you have physical fw or load balancer components it's hard to move a whole data center to another center unless the hw is identical.  By virtalizing networking and storage it's easier to migrate to any other vmware based DC. 

This is all part of vmware's new vcloud suite that sits above vsphere,  and they seem to have to have brough in a lot of thier own security folks to answer the objections of doing security the old way the larger enterprises.

Yes there is a tremendous amount of new features in vmware to keep up with.


Lee Marzke ãlee@marzke.netã
Sent from my Galaxy S III

-------- Original message --------
From: Casey Bralla <MailList@nerdworld.org>
Date: 04/12/2013 23:14 (GMT-05:00)
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Embedded 3-Port Firwall?

I've been leary of running a firewall in a virtual machine since I'm afraid
the bad guys might be able to "jump" from one VM to another.  OK, I know
that's silly, but it always seemed "cleaner" to me to have the firewall as a
physically separate machine from my regular servers.

Obviously, you've had no problems though, so I guess I'll reconsider that

On Friday, April 12, 2013 11:20:55 PM Lee H. Marzke wrote:
> I now run pfSense firewall as a VM in my ESXi server,  so my power
> for that box went down to zero!    I'm also routing IPv6 traffic
> to my website through pfSense. (4aero.com)
> The same ESXi server also runs a ZFS SAN for the VM's and a bunch of Linux
> VM's, including a plone server, Mailman mailservers,  Zimbra test server,
> VMware VIEW demo, etc. I hope to do a presentation on this setup sometime.
> I did keep the old physical linux router box around just in case of any
> bootstrap problems.
> Lee


Casey Bralla

Chief Nerd in Residence
The NerdWorld Organisation
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug