On Fri, May 31, 2013 at 5:11 PM, Edward Ned Harvey (bblisa4) < [email protected]> wrote:
> > Be aware, that for a security device, you're not supposed to run it as a > VM, just because you might be vulnerable to hypervisor attacks and so > forth. But as long as you take that into consideration - I do it myself. > > (Sorry, Ned, meant to reply on-list, but just replied to you.) That's not a very compelling argument. I've been at firms that deployed VM-based security devices and passed audits. Plenty of vendors have OVA/OVF versions of their appliances. You have to secure your hypervisor layer, just like you have to secure the physical environment for physical hardware devices. Aaron - not knowing your budget, it's tough to make recommendations. At my last place, we used these : http://www.juniper.net/us/en/products-services/security/vgw-series/ But that's just a firewall, AFAIK - it doesn't also handle remote access/VPN. On Fri, May 31, 2013 at 5:11 PM, Edward Ned Harvey (bblisa4) < [email protected]> wrote: > > From: [email protected] [mailto:[email protected]] On > > Behalf Of Aaron Macks > > > > I'm going to be setting up a small stand-alone virtual environment soon. > > My instinct is to make a VM based on iptables and ipmasq to act as a > > gateway/firewall for the rest of the VMs, but it occurs to me that there > > may now be better virtual firewalls out there. Note that it doesn't > > have to be a virtual appliance that just gets uploaded and booted, > > something installable is fine, but I want something more specialized > > then plain Linux. Does anyone have any suggestions? > > Be aware, that for a security device, you're not supposed to run it as a > VM, just because you might be vulnerable to hypervisor attacks and so > forth. But as long as you take that into consideration - I do it myself. > > I recommend and use pfSense. (There are others out there, such as > monowall, which I think pfsense is based on, but I prefer pfsense over > monowall.) > > > > Required features: VPN (IPSEC ideally, SSL-based acceptable, PPTP not > > acceptable), port forwarding, NAT, other normal firewall stuff > > For site-to-site, the IPSec is present, and ideal. For mobile > connectivity, IPsec can be used ... but it's not ideal due to complexity of > configuring clients, and difficulty finding good clients. For mobile > connectivity, I would say look at openvpn instead (or in addition to) the > ipsec mobilevpn solution. It's SSL based. In the pfsense, you can install > the openvpn plugin (I forget what it's called exactly, but if you just look > under the installable modules page, you should find it easily.) Then with > a few clicks on the web interface, you create your CA, you create some > users, create certs for those users, and download the per-user config files > and cert files needed by the openvpn client or tunnelblick. > > > _______________________________________________ > bblisa mailing list > [email protected] > http://www.bblisa.org/mailman/listinfo/bblisa >
_______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
