[Gllug] Security from scratch or just stick with Astaro?

Nix nix at esperi.org.uk
Sat Apr 12 22:58:28 UTC 2008 

On 11 Apr 2008, John Edwards said:
> On Fri, Apr 11, 2008 at 07:58:54AM +0100, Nix wrote:
>> ... and if they're running the same kernel version, that doesn't
>> increase your vulnerability surface much (the only increase I can see is
>> that any vulnerabilities in the guest tun driver could be exploited.
>> You're not going to be able to avoid running a driver for your physical
>> network card and TCP/IP stack *somewhere*.)
>
> Thanks Nix, for your postings on using User Mode Linux and bridged
> network interfaces to allow a firewall inside a virtual machine.
> Very inventive.

Inventive? Hardly. Using *two* VMs and having the outermost one run the
firewall but no userspace *is* unique to me, as far as I know: I've
since come to the conclusion that this is because it isn't actually very
helpful from a security perspective. Most attackers just want to be able
to do stuff I already allow people behind the firewall to do (e.g. send
mail, only it's spam): they generally don't want to reconfigure the
firewall, so going to such lengths to block it is pointless.

Ah well, that's how we learn :)

> Am I right in assuming that this is a hand-crafted solution rather
> than an off-the-shelf system such as the Astaro firewall that the
> original poster had used?

This one happens to be, but I'd be astonished if nobody had a firewall
UML image or VMWare image or something like that, or a distro or livecd
that did such things. (I just haven't looked for one, because, well,
I've already got one.)

> In another email you say "running firewalls on a VM is not uncommon".
> I would be interested to learn about any commercial or open source
> systems that use them.

It's a tiny step from hosting on a VM to running a firewall on one, and
hosting on UML is biggish business now... and of course building
everything on a firewall with -fstack-protector-all -D_FORTIFY_SOURCE=2
is downright ordinary. (I had to stop running digsig because it's
years-unmaintained, the crypto API changed out from underneath it, and
as Al Viro has pointed out it's not actually terribly useful because an
attacker can just write an ELF loader in some random sufficiently-
capable scripting language if they want. If they're dumping ELF binaries
on non-noexec parts of your firewall you're dead anyway, even if they
can't run those binaries without a signature; there are lots of other
interesting things that can't be signed that they can mess with.)

I'm wondering about trying it atop QEMU, if only because QEMU has
datestamped rollbackable disk images, which seems like it would be
*really* damn useful post-intrusion (`oh look, I've been attacked, I'll
diff against yesterday's image to see what the attacker did').


(Other people doing similar things, well, I'm not sure because I haven't
asked. I'm fairly sure chiark runs, or ran, a similar system. I don't
know if anyone's tried running a VM with the main disk image mirrored
off a CD and sha256-hashed to provide a stable base to refresh from if
an attacker gets in. I don't know how well it works, because, touch
wood, nobody's got in yet.

At least, nobody's got in yet that I can *tell*.)

>>> A perimeter firewall is part of your network infrastructure and needs
>>> to be presented to incoming packets before they arrive at your
>>> network.
>> 
>> That's physically impossible, of course. Your perimeter firewall is
>> *part* of your network.
>
> By "network" I was refering the "Local Area Network" (and optional
> DMZ). Where all the nice hackable thing such as Windows boxes and
> printers live. A perimeter firewall will intercept traffic before
> it reaches them.

Ah, right. In that case that's what this is. It's just that the physical
host running the firewall VM can do other stuff as well and doesn't need
to be constrained to running the tiny selection of stuff that a firewall
should run, because the only parts of it that are exposed to the
Internet are the layer-2 Ethernet drivers.

> Having the LAN, DMZ and incoming internet traffic on physically
> seperate networks with a firewall in between them is a simple way of
> seperating the traffic. It's also easier to visualise and comprehend
> - RED cable goes to internet router, ORANGE to DMZ, GREEN to LAN.

Yep. You could consider the firewall VM to be a DMZ, I suppose: it's the
place which takes extra expensive precautions to prevent attacks
succeeding (like -fstack-protector-all, and avoiding prelink to ensure
distinct randomizations of every process).

> With a virtual machine firewall there is the possibility that a
> mistake will let them mix. Sure it's a theoretical possibility and a

It's still a possibility, yes. It's just much smaller than the
downsides, for me at least.

>> Obviously services that you don't want exposed
>> past the firewall shouldn't be, well, exposed past the firewall...
>
> A default deny policy for incoming traffic is standard on almost all
> firewalls.

Indeed. (Even mine, which has a default allow for most outgoing traffic
because dammit I trust everyone who's supposed to be on here, and the
crackers probably could reconfigure the firewall anyway if they really
wanted to, which they generally don't).

>>> If the host system is already running other VMs or services and can
>>> not be a dedicated firewall, then I have a couple of spare old PCs
>>> that have run IPCop perfectly in the past that you are welcome to.
>> 
>> Oh yeah. More power consumption and noise. Just what I for one need.
>
> These boxes use under 50W and have no CPU fans (IBM & Viglen).

True ;}

> If you really want lots of noise and heat then might I recommend
> a Intel Core 2 Quad with a big NVidia graphics card for that fine
> "living next to Heathrow Airport" feeling?

Oh, I had a running Netra t102 in my bedroom for five years. The bedroom
was very, very small (about three times the size of the very narrow
bed), and the Netra was atop a cupboard, acting as a nice sounding board
for its tiny 1U-high jet-engine fans, their edges ionising the air with
sheer speed. I know about noise. ;}


(I can't get to sleep without a fan humming, so the system running that
firewall VM is actually in my bedroom. Three big slow fans and a
four-disk RAID array provides enough white noise to let me nod off,
while being much quieter than the Netra was. As a side benefit, if
anything goes seriously wrong or a cracker gets in and starts bashing
the system I'll probably hear it and wake up: I've found several bugs
over the last few years by waking up when the bug-induced change in disk
access patterns started. Most people can't afford this level of security
monitoring though. ;} )

-- 
`The rest is a tale of post and counter-post.' --- Ian Rawlings
                                                   describes USENET
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list