[Gllug] Security from scratch or just stick with Astaro?

Fri Apr 11 15:13:14 UTC 2008

On Fri, Apr 11, 2008 at 07:58:54AM +0100, Nix wrote:
> On 8 Apr 2008, John Edwards uttered the following:
>> Think about what happens to the packets. They arrive at the host
>> system and are processed by it's TCP/IP stack. This has to pass it
>> onto the VM system's virtual network interface, and then onto the
>> guest OS (eg Linux running IPCop or Astaro).
>>
>> So you are still open to attacks on the host's TCP/IP stack and the
>> VM system, in addition to the guest OS.
> 
> ... and if they're running the same kernel version, that doesn't
> increase your vulnerability surface much (the only increase I can see is
> that any vulnerabilities in the guest tun driver could be exploited.
> You're not going to be able to avoid running a driver for your physical
> network card and TCP/IP stack *somewhere*.)

Thanks Nix, for your postings on using User Mode Linux and bridged
network interfaces to allow a firewall inside a virtual machine.
Very inventive.

Am I right in assuming that this is a hand-crafted solution rather
than an off-the-shelf system such as the Astaro firewall that the
original poster had used?

In another email you say "running firewalls on a VM is not uncommon".
I would be interested to learn about any commercial or open source
systems that use them.

>> And that assumes that the hosts is running no other services of guest
>> VMs. Are you going to be running SSH to manage the host OS? If so that
>> could be attacked.
> 
> Not if you firewall it off and have it listening only on an interface
> bridged to your local net (as opposed to bridging to the outside world).
> You can have more than one network interface, y'know :)
> 
>> A perimeter firewall is part of your network infrastructure and needs
>> to be presented to incoming packets before they arrive at your
>> network.
> 
> That's physically impossible, of course. Your perimeter firewall is
> *part* of your network.

By "network" I was refering the "Local Area Network" (and optional
DMZ). Where all the nice hackable thing such as Windows boxes and
printers live. A perimeter firewall will intercept traffic before
it reaches them.

Having the LAN, DMZ and incoming internet traffic on physically
seperate networks with a firewall in between them is a simple way of
seperating the traffic. It's also easier to visualise and comprehend
- RED cable goes to internet router, ORANGE to DMZ, GREEN to LAN.

With a virtual machine firewall there is the possibility that a
mistake will let them mix. Sure it's a theoretical possibility and a
smart sysadmin should be able to stop that from happening, but we're
not all smart all the time, especially on a Friday afternoon.

> Obviously services that you don't want exposed
> past the firewall shouldn't be, well, exposed past the firewall...

A default deny policy for incoming traffic is standard on almost all
firewalls.

>> If the host system is already running other VMs or services and can
>> not be a dedicated firewall, then I have a couple of spare old PCs
>> that have run IPCop perfectly in the past that you are welcome to.
> 
> Oh yeah. More power consumption and noise. Just what I for one need.

These boxes use under 50W and have no CPU fans (IBM & Viglen).

If you really want lots of noise and heat then might I recommend
a Intel Core 2 Quad with a big NVidia graphics card for that fine
"living next to Heathrow Airport" feeling?

;)

-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
#---------------------------------------------------------#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20080411/a7a6b11c/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug