It sounds to me like the comments here are largely appropriate,
virtualizing firewalls in the limited context that has been explained
probably isn't a real good idea...at least due to perceived load.
Additionally, if there are that many fireuwalls being ran, instead of
numerous interfaces in a fewer number of machines, you're going to
continue to have problems being able to virtualize enough hardware
network interfaces.
However, I don't fully agree with the sentiment that running a firewall
in a virtual machine (let's be specific, VMWare ESX) guest environment.
I'm running my firewall on a ESX 3.0.2 guest, and it works perfectly
fine. That being said, you have to be aware of the VM configuraton.
The majority of vulnerabilities in VMWare are patchable (so yes, someone
needs to do maintenance), but are also issues that affect the VMKernel
or service console, and with careful planning, the vulnerabilities can
largely be prevented for being used as exploits on external interfaces.
And one final note...although I am a fan of virtualization (I work for
the company that owns VMWare), I really, really wish they did not have
so many freaking patches...
Kent Watsen wrote:
Some commercial firewalls (i.e. Juniper/NetScreen ScreenOS-based gear)
have been offering virtual-systems for years now. I think the
negative comments received here may be appropriate when sharing the
system with non-secure guest OSs, but it seems that it might be
alright if its nothing but firewalls
Cheers,
Kent
Josh wrote:
Hello there.
We have a bunch of obsd firewalls, 8 at the moment, all working nice
and so forth. But we
need to add about another 4 in there for new connections and
networks, which means more
machines to find room for.
So basically I have been asked to investigate running all these
firewalls in two big boxes, with lots
of NIC's, with a bunch of openbsd vritual machines on them. One main
box for the primary firewalls,
one for the secondary. Each virtual machine getting its own physical
NIC.
Personally I dont really like the idea, I can see things going wrong,
lots of stuff balancing on a
guest os and box.
Can someone please inform me if this is a really bad idea or not,
ideally with some nice reasoning?
Cheers,
Josh
