On Sat, Feb 5, 2011 at 02:54, Mark Jones <[email protected]> wrote: > Well, I hear of people running pfSense in a VM, and I wonder how do you avoid > exposing the host OS to the network? How can a firewall be run in a VM and > not leave the host OS hanging out to be attacked? Or, go the otherway and > put the VM in the FreeBSD used by pfSense since there is plenty of excess CPU > and memory to do the trick. Only getting vmware to run on pfSense FreeBSD > might be difficult (I haven't actually tried it) given the very few pieces of > FreeBSD that are present in a pfSense environment. >
It actually depends on the hypervisor being used. Most hypervisors allow limiting access to a physical NIC you choose. In addition, many hypervisors also have firewalls. Finally, hypervisor controllers (e.g., VMware's vCenter or XenServer's XenCenter) needs a password to access the hypervisor. Use a strong password here to prevent brute-force attacks. > Yes, I agree that having a jabber server on the firewall is less secure than > not having a jabber server, but I question it being less secure than having > it on my internal server. If it is on the pfSense box and becomes > compromised, the hacker will need pfSense skills to get any further, then > they will need an additional set of skills to get at my primary servers. If > I open the ports that the jabber server uses, then they have access to my > primary servers via the jabber server software because the firewall is > permitting connections into and out of the network on those ports. > If the jabber server has a severe security hole/vulnerability like remote code execution, they don't need pfSense skills. They would be able to get down to the FreeBSD OS itself. > Admittedly running log digesting software increases the attack surface if > those program actually use networking services, but if they are > self-contained, the attack surface doesn't change. Adding a website (like > say the pfSense PHP website interface) increases my exposure as well, but yet > we do it to facilitate easy configuration..... > An app does not need to use networking service to be a security problem. If the app is unstable, it might cause unexpected problems with other processes in memory. > If this analysis is wrong, please someone point out where it is wrong. This > assumes that the jabber server only opens the ports for XMPP and nothing > else, no management ports etc..... > > -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
