RE: [pfSense-discussion] xen aware pfsense.
http://rationalsecurity.typepad.com/blog/2008/04/the-four-horsem.html is a good intro to the issues of trying to make that scale. From: Adam Van Ornum [greatb...@hotmail.com] Sent: 29 January 2009 00:30 To: discussion@pfsense.com Subject: RE: [pfSense-discussion] xen aware pfsense. I think what he is saying is not having pfSense run as a domU guest, rather running it as the dom0 host. The idea being then that all of the virtual machines running in domU would therefore be protected by the pfSense dom0 host. Date: Wed, 28 Jan 2009 16:50:50 -0700 From: aoz@gmail.com To: discussion@pfsense.com Subject: Re: [pfSense-discussion] xen aware pfsense. On Wed, Jan 28, 2009 at 16:19, pfsense sense pfse...@kavadas.org wrote: point taken but it wouldn't be adding [file | virtual | foo] server features it would only be pfsense -- VT i'm no security expert, in any stretch of the imagination, I would have expected that the suggested addition of a dom0 would/could be fully protected, due to dom0 sitting behind pfsense, thus making the point of secuity a mut point. You're being inconsistent, and that may be due to a language barrier. If I read this correctly, my first understanding of your original post may have been correct: you want to run pfSense as a domU guest. If that is the case, the point still stands that running a network security appliance as a virtualized guest is a bad idea, but there's nothing stopping you from doing it as long as your virtualization host supports HVM or unmodified guests. Xen-hvm, qemu+kqemu, kvm, VMWare, Parallels, and VirtualBox all do that. Throwing aside performance concerns, here's an example of one of the potential security hazards: your virtualized firewall system gets compromised. If the firewall is running on dedicated hardware, the attacker now has much wider (but still network-bound) access to your internal services. If running as a virtual guest, the attacker has the following additional choices: - DoS the other guests by consumng as much CPU/disk/memory as possible - Attack the host (dom0) or hypervisor directly, thereby gaining higher-than-root access to all the rest of the guest systems. The reverse is also true - the virtual firewall may be attacked in much the same way. Having a hypervisor running underneath a guest OS does not make security a moot point; rather, it increases complexity and attack surfaces, effectively reducing security. RB - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org Windows Live™ Hotmail®…more than just e-mail. See how it works.http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009
RE: [pfSense-discussion] xen aware pfsense.
I think he understood, He did :-). but was suggesting other virtualization ideas that he felt would be a more rewarding use of developer resources. Indeed and stay within the scope of what Scott et al have delivered with bells on over the past several years. Greg - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] xen aware pfsense.
As the others have said, it depends on what you mean by 'integrate' Ignoring the lack of Xen dom0 support in FreeBSD for a moment. Utilising VT technology to deliver physical as well as logical isolation of multiple concurrent PFSense instances in a manner analagous to Fortinet VDOM : http://kc.forticare.com/default.asp?id=2065Lang=1SID= or Juniper VSYS : http://www.juniper.net/solutions/literature/white_papers/200103.pdf Does have a certain attraction from a managed service perspective. Hosting applications within domUs running on PFSense. A complete waste of time. Greg From: pfsense sense [pfse...@kavadas.org] Sent: 28 January 2009 00:42 To: discussion@pfsense.com Subject: [pfSense-discussion] xen aware pfsense. has anyone considered the possibility of intergrating xen with pfsense ? i might be loosing my mind but wouldn't it be nice to have a pfsense running on harware and a vistualization environemnt that allow us to install our OS's of choice perfectly protected behind pfsense ? does anything else think it's a good idea ?
Re: [pfSense-discussion] xen aware pfsense.
Ignoring the lack of Xen dom0 support in FreeBSD for a moment, of course. On Thu, Jan 29, 2009 at 9:13 AM, pfsense sense pfse...@kavadas.org wrote: multiple concurrent PFSense instances no, you have also missed my point... i'm not interested in vistualizing pfsense my idea was to provide VT options, a dom0, along side pfsense... as it is available in Linux. | OS -- service (file) cloud -- pfsense -- VT -- | OS -- service (mail) | OS -- service (database) On Wed, Jan 28, 2009 at 7:38 PM, Greg Hennessy greg.henne...@nviz.netwrote: As the others have said, it depends on what you mean by 'integrate' Ignoring the lack of Xen dom0 support in FreeBSD for a moment. Utilising VT technology to deliver physical as well as logical isolation of multiple concurrent PFSense instances in a manner analagous to Fortinet VDOM : http://kc.forticare.com/default.asp?id=2065Lang=1SID= or Juniper VSYS : http://www.juniper.net/solutions/literature/white_papers/200103.pdf Does have a certain attraction from a managed service perspective. Hosting applications within domUs running on PFSense. A complete waste of time. Greg -- *From:* pfsense sense [pfse...@kavadas.org] *Sent:* 28 January 2009 00:42 *To:* discussion@pfsense.com *Subject:* [pfSense-discussion] xen aware pfsense. has anyone considered the possibility of intergrating xen with pfsense ? i might be loosing my mind but wouldn't it be nice to have a pfsense running on harware and a vistualization environemnt that allow us to install our OS's of choice perfectly protected behind pfsense ? does anything else think it's a good idea ?
Re: [pfSense-discussion] xen aware pfsense.
I think he understood, but was suggesting other virtualization ideas that he felt would be a more rewarding use of developer resources. To me, it sounds like you want the feature set of pfsense available on a platform that runs virtual machines... for example, having a pfSense option in VMware to compliment the NAT and HostOnly networking options. I don't think it's a bad idea, I just don't think it should be a direction pfSense travels. I think pfSense is an amazing project that has pushed its way past the usefulness of several commercial offerings, and that diluting it with additions to virtualize on top of it would take away from its core purpose. If there are situations that merit combining all these features (pfSense, VMs) into one device, perhaps there's also another solution that would allow them to be separate, and still solve the problem? -Adrian - Original Message - From: pfsense sense pfse...@kavadas.org To: discussion@pfsense.com Sent: Wednesday, January 28, 2009 5:13:42 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] xen aware pfsense. multiple concurrent PFSense instances no, you have also missed my point... i'm not interested in vistualizing pfsense my idea was to provide VT options, a dom0, along side pfsense... as it is available in Linux. | OS -- service (file) cloud -- pfsense -- VT -- | OS -- service (mail) | OS -- service (database) On Wed, Jan 28, 2009 at 7:38 PM, Greg Hennessy greg.henne...@nviz.net wrote: As the others have said, it depends on what you mean by 'integrate' Ignoring the lack of Xen dom0 support in FreeBSD for a moment. Utilising VT technology to deliver physical as well as logical isolation of multiple concurrent PFSense instances in a manner analagous to Fortinet VDOM : http://kc.forticare.com/default.asp?id=2065Lang=1SID = or Juniper VSYS : http://www.juniper.net/solutions/literature/white_papers/200103.pdf Does have a certain attraction from a managed service perspective. Hosting applications within domUs running on PFSense. A complete waste of time. Greg From: pfsense sense [ pfse...@kavadas.org ] Sent: 28 January 2009 00:42 To: discussion@pfsense.com Subject: [pfSense-discussion] xen aware pfsense. has anyone considered the possibility of intergrating xen with pfsense ? i might be loosing my mind but wouldn't it be nice to have a pfsense running on harware and a vistualization environemnt that allow us to install our OS's of choice perfectly protected behind pfsense ? does anything else think it's a good idea ? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
On Wed, Jan 28, 2009 at 15:31, pfsense sense pfse...@kavadas.org wrote: Ignoring the lack of Xen dom0 support in FreeBSD for a moment, of course. I definitely misunderstood your original post, my apologies. That being said, there isn't and doesn't soon look to be much motion within FreeBSD to provide dom0 support; even Linux hasn't had a recent kernel supporting it since 2.6.18, and the release scheduled for 2.6.29 may actually be pushed back to 2.6.30. Beyond that, it seems only qemu+kqemu has made it into the BSD space, which doesn't leave many good options for running pfSense as the root of a virtualized system. The general response I see from the FBSD camp to root-virtualization requests is man 8 jail. NetBSD has recent dom0 support, but switching to that isn't very likely. Adrian has a good point - pfSense is a network security platform, and adding [file | virtual | foo] server features will only serve to dilute the focus and create superfluous support issues. Greg had another good point - multiple parallel pfSense instances like VDOM VSYS might be the way to go, but serving as a general hosting platform far exceeds the purpose of pfSense. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
point taken but it wouldn't be adding [file | virtual | foo] server features it would only be pfsense -- VT i'm no security expert, in any stretch of the imagination, I would have expected that the suggested addition of a dom0 would/could be fully protected, due to dom0 sitting behind pfsense, thus making the point of secuity a mut point. but then again, i'm no security expert. On Thu, Jan 29, 2009 at 10:00 AM, RB aoz@gmail.com wrote: On Wed, Jan 28, 2009 at 15:31, pfsense sense pfse...@kavadas.org wrote: Ignoring the lack of Xen dom0 support in FreeBSD for a moment, of course. I definitely misunderstood your original post, my apologies. That being said, there isn't and doesn't soon look to be much motion within FreeBSD to provide dom0 support; even Linux hasn't had a recent kernel supporting it since 2.6.18, and the release scheduled for 2.6.29 may actually be pushed back to 2.6.30. Beyond that, it seems only qemu+kqemu has made it into the BSD space, which doesn't leave many good options for running pfSense as the root of a virtualized system. The general response I see from the FBSD camp to root-virtualization requests is man 8 jail. NetBSD has recent dom0 support, but switching to that isn't very likely. Adrian has a good point - pfSense is a network security platform, and adding [file | virtual | foo] server features will only serve to dilute the focus and create superfluous support issues. Greg had another good point - multiple parallel pfSense instances like VDOM VSYS might be the way to go, but serving as a general hosting platform far exceeds the purpose of pfSense. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
On Wed, Jan 28, 2009 at 16:19, pfsense sense pfse...@kavadas.org wrote: point taken but it wouldn't be adding [file | virtual | foo] server features it would only be pfsense -- VT i'm no security expert, in any stretch of the imagination, I would have expected that the suggested addition of a dom0 would/could be fully protected, due to dom0 sitting behind pfsense, thus making the point of secuity a mut point. You're being inconsistent, and that may be due to a language barrier. If I read this correctly, my first understanding of your original post may have been correct: you want to run pfSense as a domU guest. If that is the case, the point still stands that running a network security appliance as a virtualized guest is a bad idea, but there's nothing stopping you from doing it as long as your virtualization host supports HVM or unmodified guests. Xen-hvm, qemu+kqemu, kvm, VMWare, Parallels, and VirtualBox all do that. Throwing aside performance concerns, here's an example of one of the potential security hazards: your virtualized firewall system gets compromised. If the firewall is running on dedicated hardware, the attacker now has much wider (but still network-bound) access to your internal services. If running as a virtual guest, the attacker has the following additional choices: - DoS the other guests by consumng as much CPU/disk/memory as possible - Attack the host (dom0) or hypervisor directly, thereby gaining higher-than-root access to all the rest of the guest systems. The reverse is also true - the virtual firewall may be attacked in much the same way. Having a hypervisor running underneath a guest OS does not make security a moot point; rather, it increases complexity and attack surfaces, effectively reducing security. RB - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] xen aware pfsense.
has anyone considered the possibility of intergrating xen with pfsense ? i might be loosing my mind but wouldn't it be nice to have a pfsense running on harware and a vistualization environemnt that allow us to install our OS's of choice perfectly protected behind pfsense ? does anything else think it's a good idea ?
Re: [pfSense-discussion] xen aware pfsense.
Something akin to this idea was discussed a while ago, and the best practice would be to steer clear of it. It's not always advantageous to put all your eggs in one basket (sorry for the overused analogy). Ideally, if you need something as complex as what pfSense provides, you would be better off implementing physically separate devices. Combining them all creates too great a point of failure, and dilutes the goals of pfSense development. This is my experience from my background. Thanks, Adrian - Original Message - From: pfsense sense pfse...@kavadas.org To: discussion@pfsense.com Sent: Tuesday, January 27, 2009 7:42:18 PM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] xen aware pfsense. has anyone considered the possibility of intergrating xen with pfsense ? i might be loosing my mind but wouldn't it be nice to have a pfsense running on harware and a vistualization environemnt that allow us to install our OS's of choice perfectly protected behind pfsense ? does anything else think it's a good idea ? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
On Tue, Jan 27, 2009 at 17:42, pfsense sense pfse...@kavadas.org wrote: has anyone considered the possibility of intergrating xen with pfsense ? i might be loosing my mind but wouldn't it be nice to have a pfsense running on harware and a vistualization environemnt that allow us to install our OS's of choice perfectly protected behind pfsense ? does anything else think it's a good idea ? Regardless of what virtual appliance vendors would like to tell you, network security solutions aren't particularly well-suited for virtualization. Response times will never be as good as those on the raw hardware, and there are more subtle concerns with the added complexity, particularly in failover situations. Even more disconcerting is exposing the hypervisor within which the rest of your presumably sensitive infrastructure runs to edge security concerns. That said, there's nothing stopping you from running on an HVM-aware solution - I personally use Linux KVM on a Phenom 98xx, and Xen has at least some HVM support. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
i'm not suggesting pfsense be run inside a VM, i am suggesting pfsense provide VM functionality i'm fully aware the VM's shortcomings, i manage a 14TB ESX cluster let me say that again... i am suggesting pfsense provide VM functionality cloud -- pfsense -- os -- service On Wed, Jan 28, 2009 at 2:03 PM, RB aoz@gmail.com wrote: On Tue, Jan 27, 2009 at 17:42, pfsense sense pfse...@kavadas.org wrote: has anyone considered the possibility of intergrating xen with pfsense ? i might be loosing my mind but wouldn't it be nice to have a pfsense running on harware and a vistualization environemnt that allow us to install our OS's of choice perfectly protected behind pfsense ? does anything else think it's a good idea ? Regardless of what virtual appliance vendors would like to tell you, network security solutions aren't particularly well-suited for virtualization. Response times will never be as good as those on the raw hardware, and there are more subtle concerns with the added complexity, particularly in failover situations. Even more disconcerting is exposing the hypervisor within which the rest of your presumably sensitive infrastructure runs to edge security concerns. That said, there's nothing stopping you from running on an HVM-aware solution - I personally use Linux KVM on a Phenom 98xx, and Xen has at least some HVM support. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
On Tue, Jan 27, 2009 at 10:15 PM, pfsense sense pfse...@kavadas.org wrote: i'm not suggesting pfsense be run inside a VM, i am suggesting pfsense provide VM functionality i'm fully aware the VM's shortcomings, i manage a 14TB ESX cluster let me say that again... i am suggesting pfsense provide VM functionality cloud -- pfsense -- os -- service It certainly is a intriguing idea. This tweet caught my attention earlier today: http://twitter.com/Taggerz/statuses/1152928366 Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
On Tue, Jan 27, 2009 at 10:15 PM, pfsense sense pfse...@kavadas.org wrote: i'm not suggesting pfsense be run inside a VM, i am suggesting pfsense provide VM functionality Refer back to my earlier post. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org