Re: OpenBSD ESXi VMware image on Soekris Net5501

Thu, 21 May 2009 11:46:16 -0700 

2009/5/21  <obiozorok...@yahoo.com>:

> I'll have to re-think this but I
> honestly thought (I guess I'm wrong) that if I my first OpenBSD VM image
> running on ESXi as my strong firewall I would be ok. B Basically its just a
> virtualization of my physical environment but all on one box with 3 VM
images.
> So my idea was to have second OpenBSD image (not the firewall OpenBSD
image)
> running with Samba as my Domain Controller and File server, and Email
server
> and then the third Windows VM running just the custom app. B I figured that
as
> long as all the 'Net traffic hit my first OpenBSD VM and was properly
filtered
> and controlled by pf, spam greylisting, brute force checked, etc I would be
> ok? B No?

There are some strategic issues with virtualising a firewall.

What should be the simplest, most rock solid member of your network is
now on the same hardware as <foo> virtual machines. If one of the
application servers is compromised then it's *possible* that the
VMWare server itself could be compromised, rendering the firewall VM
under the control of The Bad Guys. If one of the VMs screws the pooch
and takes down the server then you've not only lost the ability to
communicate with those servers, you've lost the ability to communicate
with your firewall. If one of the application VMs isn't configured
with proper resource limits then performance on the firewall will drop
under periods of heavy traffic. For that matter, you've already
introduced overhead on throughput of the firewall by forcing traffic
to be received by the VM OS before it's received by OpenBSD. If the VM
server is compromised then the things that can be done to traffic
without ever actually disrupting the firewall are almost certainly fun
fun fun (in all fairness, I haven't tried mucking with traffic on
ESX/i, this is based entirely in speculation).

I'm sure there are obvious things that I'm missing but these are the
ones that blast the loudest through my brain when I think about
virtualising a firewall. As I stated before, I have done it and there
are a few that I maintain - and they do their job well - but that
doesn't mean I condone the practice in general and it surely doesn't
suggest that I think it's something that should be done on a whim or
with a light attitude. It is dangerous and unsupported and you need to
understand there is significant risk in doing so.

kmw

--
To take from one, because it is thought that his own industry and that
of his fathers has acquired too much, in order to spare to others,
who, or whose fathers have not exercised equal industry and skill, is
to violate arbitrarily the first principle of association, bthe
guarantee to every one of a free exercise of his industry, & the
fruits acquired by it.'

Reply via email to