What are the good free virtualization options now?

[scurrier]

I've been reading about how ESXi is crippled now because you cannot manage your VM's after 60 days. HyperV does not have good FreeBSD support.

People seem to talk about free virtualizing like it's still an option. In my research, I have not found what those options are. Are people pirating it or something? (Which I don't want to do)

ESXi's terrible website is not making understanding this much easier...

HyperV's difficult setup is not making me too hot on their proclaimed future FreeBSD support...

I am not suggesting virtualizing FreeNAS, but I am thinking about virtualizing pfSense.

So what are the good options out there? Or are there none? Is everyone that is still virtualizing just using an old version of ESXi? Are those still available for legit download somewhere?

Thanks for answering my newb questions.

 

[pirateghost]

Xenserver or proxmox

Sent from my Nexus 5

 

[ser_rhaegar]

I use ESXi 5.1U1, due to HP firmware blocking DirectIO/Pass through in newer versions. You can download 5.1 afaik without issue from VMWare.

Also I used 5.5 and I saw nothing that would prevent me from using it after 60 days with the free version. Just make sure to not create VMs using HW10. Use HW9 or older.

I love Hyper-V, I run over 50 instances of it in many clusters at work. However I'm not a fan of its non-Windows support. I do have a few Linux VMs on 2012 hosts (postfix/gitlab) but had issues on 2008R2 hosts depending on the network config. Hyper-V is where my expertise lies, which is why I use ESXi at home (trying to keep up on alternative options).

Never used any other baremetals hypervisors (i.e. Xen).

 

[cyberjock]

I'm using ESXi 5.1. 5.5 has the mess you explained. I know Xenserver and the others are pretty good, with some people claiming they are superior to ESXi.

I will warn you that pfsense shouldn't be virtualized. Security devices should never be virtualized, so you're better off making a small pfsense box out of an Intel atom or equivalent. I use pfsense with an Intel D2500CC motherboard and have no problems.

 

[xcom]

I'm using ESXi 5.1. 5.5 has the mess you explained. I know Xenserver and the others are pretty good, with some people claiming they are superior to ESXi.

I will warn you that pfsense shouldn't be virtualized. Security devices should never be virtualized, so you're better off making a small pfsense box out of an Intel atom or equivalent. I use pfsense with an Intel D2500CC motherboard and have no problems.

+1 on this.

In the other hand Xen is some what dying out at least on the corporate world. Now is KVM.
I use ovirt.
www.ovirt.org

 

[bigphil]

Security devices should never be virtualized

You better contact every manufacturer that creates virtual appliances and break the news to them (Cisco, Barracuda, Juniper, Fortinet, etc.) ;)

 

[cyberjock]

Why? Do you think they care if you'll buy it. Their job is to make money. And if you are stupid enough to buy a virtualized security appliance, then so be it. Plenty of markets have been created because of demand by people that shouldn't be in a position to make the decision what to buy.

And believe me, if things go south and the choice to virtualize compromises your network like I saw in a previous life, the vendor will have no problem giving you enough information to make you realize you were stupid to virtualize. I asked our vendor point blank "so virtualizing wasn't a good idea for this, huh?" and he responded with "to be honest... well, I wont say that... I'll just say that we do sell this same product in a non-virtualized environment for a reason".

So hang yourself with poor choices if you so desire. I won't miss any sleep over it when you get pwned.

 

[pirateghost]

Data centers virtualize networks all the time...

My router and Web filter are virtualized. So, sorry, I have to disagree with you

Sent from my Nexus 5

 

[bigphil]

Why? Do you think they care if you'll buy it. Their job is to make money. And if you are stupid enough to buy a virtualized security appliance, then so be it. Plenty of markets have been created because of demand by people that shouldn't be in a position to make the decision what to buy.

And believe me, if things go south and the choice to virtualize compromises your network like I saw in a previous life, the vendor will have no problem giving you enough information to make you realize you were stupid to virtualize. I asked our vendor point blank "so virtualizing wasn't a good idea for this, huh?" and he responded with "to be honest... well, I wont say that... I'll just say that we do sell this same product in a non-virtualized environment for a reason".

So hang yourself with poor choices if you so desire. I won't miss any sleep over it when you get pwned.

That's just flat out subjective man. There might be slightly less attack surface of a non-virtualized setup, but the big name hypervisors are pretty damn security conscious and hardened for deploying virtual appliances so I would call that a moot point. Without real data to backup your claim...and I'm not talking about your vendor story because I would bet money that he wasn't the software engineer creating the stuff, or some shmuck on a blog that doesn't develop the stuff, lets leave it at that. Anything that runs code can be compromised...simple as that. One is not better than the other.

 

[joeschmuck]

... or some shmuck on a blog ...

Hey, no name calling ;)

 

[cyberjock]

That's just flat out subjective man. There might be slightly less attack surface of a non-virtualized setup, but the big name hypervisors are pretty damn security conscious and hardened for deploying virtual appliances so I would call that a moot point. Without real data to backup your claim...and I'm not talking about your vendor story because I would bet money that he wasn't the software engineer creating the stuff, or some shmuck on a blog that doesn't develop the stuff, lets leave it at that. Anything that runs code can be compromised...simple as that. One is not better than the other.

You want real-world examples.. just google "ESXi escape to hypervisor". Feel free to substitute your favorite hypervisor too. If you read the stuff on ESXi, they tell you flat out that there are always risks for security breaches and for that reason "consider your use case for virtualization for security devices". If you start doing more research the general recommended options in this order are:

1. Never virtualize security software, PERIOD.
2. Never virtualize a "border". For example, VPN servers, firewalls, and often antivirus servers if your firewall settings come from a central server that your company manages.
3. Virtualize everything and put your faith in the hypervisor being secure.

If you are part of any entity that has any kind of serious auditing requirements, you almost de-facto should be doing #1. When you are dealing with millions of dollars worth of company secrets, etc it's more cost effective to throw an extra server(s) out there and not virtualize. The cost to benefit ratio leans so heavily into the benefit category you look like a fool to do anything else.

So yeah, feel free to do your own reading. This isn't the "debate security of ESXi" forums so I won't say more on the topic. I provide the most secure recommendations. If you choose to do less, that's totally your call. But, I won't play games like that with *other* people's setup. I make the conservative recommendation and you can either take it or leave it.

 

[bigphil]

You want real-world examples.. just google "ESXi escape to hypervisor". Feel free to substitute your favorite hypervisor too. If you read the stuff on ESXi, they tell you flat out that there are always risks for security breaches and for that reason "consider your use case for virtualization for security devices". If you start doing more research the general recommended options in this order are:

1. Never virtualize security software, PERIOD.
2. Never virtualize a "border". For example, VPN servers, firewalls, and often antivirus servers if your firewall settings come from a central server that your company manages.
3. Virtualize everything and put your faith in the hypervisor being secure.

If you are part of any entity that has any kind of serious auditing requirements, you almost de-facto should be doing #1. When you are dealing with millions of dollars worth of company secrets, etc it's more cost effective to throw an extra server(s) out there and not virtualize. The cost to benefit ratio leans so heavily into the benefit category you look like a fool to do anything else.

So yeah, feel free to do your own reading. This isn't the "debate security of ESXi" forums so I won't say more on the topic. I provide the most secure recommendations. If you choose to do less, that's totally your call. But, I won't play games like that with *other* people's setup. I make the conservative recommendation and you can either take it or leave it.

Googled it...cant find much that is relevant to current versions of ESXi. There are some articles on escaping older and unpatched version. I could go dig up the same kind of garbage on an out-of-date Cisco firewall that could be compromised.

The main problem here is that people are either a) to lazy to implement proper security across a virtual platform (don't update at all software levels, have never heard of something called vShield, don't know how to properly configure anything, etc.) or b) to cheap to upgrade and stay current on software. A nice whitepaper from the current VMware employee that is the keeper of the vSphere hardening guide. Like I said, anything that is running code can be broken and problems arise 99.999% of the time because morons don't update or update in a timely manner (or are too stupid to set it up correctly in the first place).

Also...I'm not playing any games with other peoples setup. I'm saying they need not be scared of security virtualization if they are competent in the technology.

The only thing I'll concede here is that for the typical IT moron, it might be (little faith in most users ability) easier to configure hardware for edge security services and that in return might make it more secure. I wont keep going on this subject so no need to lock 'er down.

Hey, no name calling ;)

hahaha! Sorry @joeschmuck ;-)

 

[scurrier]

Looks like I'm late to my own party here. Thanks for all the suggestions on hypervisors. Looks like ESXi 5.1 is what I should be looking for. What are the major things lost by using 5.1 instead of 5.5?I can't imagine there is anything major, maybe driver support, but perhaps there is something that people commonly bump up against.

As far as security of virtualizing pfSense. I'm no expert, obviously. From my reading it seems that virtualizing pfSense is common even in business scenarios. If I was a business, I probably wouldn't do it, just because you're introducing the possibility of holes in the hypervisor in addition to the possibility of holes in the router. Mis-configuration is also at higher risk. Businesses could spend the money to avoid these risks by adding an additional server. But for me, I am a home user and might be OK with some small incremental risk if it saves me $500.

The following serverfault question on this topic has a post from Chris Buechler, co-founder of pfSense, in it:
http://serverfault.com/questions/338666/is-there-danger-to-virtualizing-a-router

Here's the relevant quote from Chris:

The arguments people generally have against that are security of the hypervisor itself, which history has pretty much proven isn't much of a concern. That could always change, but there haven't yet been any really significant recurring hypervisor security issues. Some people just refuse to trust it, for no good reason. It's not about attacking other hosts if someone owns the firewall, in that case it doesn't matter where it's running, and of all the things that are likely to get compromised, the firewall is WAY down the list unless you do something stupid like open its management to the entire Internet with the default password set. Those people have some irrational fear that there's going to be some magic "root ESX" packet sent in from the Internet through one of its bridged interfaces that's somehow going to do something to the hypervisor. That's extraordinarily unlikely, there are millions of more likely ways your network is going to get compromised.
Numerous production datacenters run pfSense in ESX, I've setup probably in excess of 100 myself alone. Our firewalls run in ESX. From all those experiences, the only couple slight drawbacks to virtualizing your firewalls are: 1) if your virtualization infrastructure goes down, you're not going to be able to get to it to troubleshoot if you aren't physically at that location (mostly applicable to colo datacenters). This should be very rare, especially if you have CARP deployed with one firewall per physical host. I do see scenarios on occasion where this happens though, and someone has to physically go to the location to see what's wrong with their hypervisor as their virtual firewall and only path in is down too. 2) More prone to configuration mistakes that could pose security issues. When you have a vswitch of unfiltered Internet traffic, and one or multiple of private network traffic, there are a few possibilities for getting unfiltered Internet traffic dropped into your private networks (potential impact of which would vary from one environment to another). They're very unlikely scenarios, but far more likely than making the same kind of screw up in an environment where the completely untrusted traffic is not connected in any fashion to internal hosts.
Neither of those should keep you from doing it - just be careful to avoid scenario 1 outages especially if this is sitting in a datacenter where you don't have ready physical access if you lose the firewall.

I don't know if his expertise fully covers virtualization security. Also, you could argue that he has an interest in people virtualizing and getting support from him. But the points themselves seem pretty fair.

 

[cyberjock]

He makes valid points. Doesn't make him right and the "other side of the story" wrong. You gotta do what you think is best. Some people swear by ESXi(and virtualization in general). Many security professionals would quit their job if a boss said they wanted to do that. The government has a very strict no virtualizing security products, PERIOD.

The real question is, if you do this for a business and they are compromised because of this, are you okay with them firing you for it? I mean, this happens.. regularly, for many companies.

As for 5.1 versus 5.5, 5.5 has some newer drivers, a bunch of old hardware support removed, and supports 64GB of RAM on the free version(5.1 is only 32GB).

 

[diehard]

5.5 finally ups the size limit of VMDK's.. that alone was enough for me to jump on ASAP.

 

[gpsguy]

Are you using the free version?

To get the added features, you must be using hardware version 10. Do you ever edit the settings? Are you manually editing the .VMX files? Or, do you use Workstation 10 to edit them?

Like others here, for the free version, I normally stick with ESXi 5.1. I realize that for my use, even if I chose HW v10, I could downgrade it by editing the .VMX file, so I could use the GUI.

5.5 finally ups the size limit of VMDK's.. that alone was enough for me to jump on ASAP.

 

[diehard]

Whoops no sorry using ESXi 5.5 Enterprise with a Vsphere server.. with VM Version 10 you can still use a GUI, it just has to be the webui that vmware is pushing these days.

 

[gpsguy]

vSphere Web Access is only available with the paid version.

The message thread was about free options. Yes, I know one can License 5.5 for free, but if one wants to take advantage of version 10 features, editing the settings can be challenging.


Sent from my phone

 

[diehard]

I don't actually believe you need VM version 10 to use the larger VMDK's.. Version 9 should work

62TB VMDK:

• Supported on VMFS5 or NFS (NFS depends on array supported maximum file size)
• No specific virtual hardware requirement (except if you want to use the AHCI SATA controller, which requires vHW v10)
• Requires ESXi 5.5
• 62TB Virtual Mode RDM’s also supported (vRDM)

You can use ESXi 5.5 and keep your VM's the same hardware version (Also you can create new ones to Version 9 with some trickery) and use the vCenter application to manage them still.

 

[gpsguy]

I presume you meant to say the vSphere client. vCenter requires $$$.

... and use the vCenter application to manage them still.

I'm quite familiar with ESX/ESXi, having managed it in a commercial setting since the 3.x days.