Virtualization of firewall

[dffvb]

Hi there,

I have set up a sophos firewall in a VM - behind a router - so it should be safe. Since PCI passthrough isnt really an option due to IOMMU group restrictions, I have added NICs to the VM and chosen free NICs under "Nic to attach" - apart from the discussion whether it is a good idea to virtualize a firewall at all, I am wondering how safe it would to be, to let the firewall dial up directly and let it be facing the internet instead of the current modem / router combo.

Maybe someone knoeing can elaborate on this topic in general, meaning for example how safe it would be to expose a VM to a first layer behind a router, with the main TrueNAS being in a second layer (router cascade), with the mentioned way, of the risk of breaking out of the VM...

Example: I have a router/firewall with a wireguard VPN, I am attaching a NIC to a VM with a Nextcloud installation, and plug that NIC in the router. Also too there is a second router/firewall behind the first, which has the main NIC of TrueNAS with all data etc... Lets say for whatever reason (faulty wireguard implementation e.g.) VM in the first gets infected, at how much risk is the second layer ?


Have a nice sunday

 

[dffvb]

Bit suprised no one can or want to share information regarding potential security flaws in this setup...

 

[pabloalcantara]

I don´t see any problems, as long as the services from truenas is not accesible over the shared interface. I have a sophos home GX cluster in a physical machine, and one in truenas as virtual machine.
I user interfaces on truenas thas I haven´t configured IP address in the interfaces used by the sophos VM.

 

[Patrick M. Hausen]

I have been running virtual firewalls inside ESXi facing the Internet for years. I consider it reasonably secure. All VLAN jumping and/or hypervisor escape attacks I know require a level of access to the VM that already means "you are screwed" - because the attacker has got root access to the firewall system connected to your network. Virtualisation does not fundamentally change that.

So in a single-tenant environment (all systems including all VMs, switches, etc. belonging to the same person or company) I decided for myself that virtual firewalls are fine. Some might disagree.

In any multi-tenant setup (VMs belonging to different customers sharing the infrastructure) I would strongly discourage it.

Last you need to decide how far you trust your hypervisor. I would not do this in anything but ESXi.

 

[jgreco]

anything but ESXi.

Fully patched, current, ESXi, on modern hardware with as many mitigations against Meltdown, Spectre, etc., as reasonably possible.

 

[jlw52761]

Agree, but, also need to look at the physical switches that you are running this VLAN across. The only thing I would add is that if you do not have very good switches that are patched, I would not run the WAN (Internet) as a VLAN across it, but rather plug directly into a dedicated interface on the TrueNAS box and attach it to the VM there.

Another option is to have a small dumb switch dedicated to intaking the single WAN port from your ISP and distributing it to multiple endpoints, if you have several ESXi boxes or such. Granted, you will need a dedicated NIC on each of your hypervisors, and in the case of ESXi a separate vSwitch, but it's definitely the safe bet overall.

The reason for this is, when you run the WAN as a VLAN across a switch, that switch is now directly attached to the Internet, and the port(s) attached to the ISp equipment is not behind your firewall, so any flaws in that switch are directly exposed and exploitable. If you use the same switch for this as you do all your internal VLAN's, and that switch has a flaw that allows an attacker to gain access and perform VLAN hoping (not unheard of), then you are really toast then because the firewall can be bypassed.

In your case, you most likely will plug the ISP WAN directly into a free NIC on your TrueNAS box, so you won't have to worry about that, and I'm sure that the network stack in TrueNAS (Core or Scale) doesn't easily allow for exploitation of that connection without having some very privileged access to the host OS itself, so I would say it's reasonably secure and not unheard of even in an Enterprise setting to virtualize the firewall(s).