Linux – Firewall with Virtual Machines

firewalllinuxnetworkingSecurityvirtual-machines

I'm trying to set up a Firewall in a VM in my enviroment where the Network Cards (Wifi and various Ethernet) are in separate VMs, so that the Firewall VM is between the NetVMs and my host system.

The problem is the packets coming in the Firewall have the NetVM ip as source address, so I can't, for example, use balcklists with iptables to drop packets from bad malicious sources.

I've been suggested to use port mirroring to copy packets, but I want to forward the packets directly and don't have the Kernel in the NetVMs to process them.

I have to decide between these two options:

use 'iptables' rules on every machine to filter the incoming traffic and use a Firewall to handle only the internal scheme, knowing I can't control and maintain all the machines connected
filter all the traffic in the Firewall VM.

If I have to set up the iptables and install Psad, Snort and other tools on every NetVM the Firewall loses its sense.

If the packets are forwarded before the the Kernel processes them if a Bug in the Stack Code is exploited, the only machine to get compromised is the Firewall one, which remains 'isolated' from the system and I have to check only one system and at most backup/maintain/reinstall only one VM in the wrong case, and the NetVMs and the Firewall VM can use a minimal kernel for their specific scopes.

This is related also to the cases in which I can't control one or more NetVMs and I can't expect the machine is clean or do a proper filtering.

How are this situation handled with hardware devices?

Best Answer

Sounds like you need to research networking in general, internet security and the virtual networking in your VM environment in particular.

It sounds like you don't want to use the firewall on your VM host because you're afraid an exploitable bug in that code would make your whole VM environment vulnerable. Is that right? That sounds awkward, because any packets have to go through the VM host anyway, by definition.

It sounds like you want a VM who's only job is to be the firewall, and you want all connections with the outside to go through that, including connections to the VM host.

The way I do it, is by running a simple firewall on the VM host and any other tools on other hosts, using port mirroring or something similar as needed.

The hardware equivalent is Internet <-> switch <-> firewall <-> switch <-> computers. Or was that not what you were asking?

You could do that by connecting the hardware nic to a virtual bridge and not connecting the VM host to that bridge, then connecting the firewall to that bridge, making a second internal virtual bridge, and connecting the firewall, all the other VMs and your VM host to that. You can substitute "bridge" for whatever virtual switch, net, hub, etc... you use in your environment.

One concern I see with this is the potential for a self-inflicted denial of service attack. You'll really want some kind of back-channel access so you don't lock yourself out.

Also, this is all running in software on the VM host anyway, so the extra complexity might be worse than the risk you're trying to avoid.

(added later)

I put firewalls on all my hosts. I try to set things up with the assumption that bad guys are already inside my local net. I use automation (puppet, ansible, salt) so it's really not a headache.

(back to original)

Finally, the internet is a giant ball of chaos, and it will always be attacking you. Detecting attackers and actively defending against them is only marginally useful. If you block an IP because it's sending an attack, remember that IP might be a NAT that also serves your users.

Attacks are a natural feature of the internet, like bears in the woods. The way to defend against bears, is to secure your food really well, not stay up all night with a gun. The way to defend against the internet is to keep your software patched, your firewall sane, your users educated etc..., not actively respond to attackers.

Related Solutions

Firewall – Virtual environment firewall with CSF + iptables rules on VM

My advice is to perform the following on the hardware node:

If your HN has two interfaces, configure them both as bridges (in my case I have vmbr0 and vmbr1)
In the csf.conf, configure your ETH_DEVICE as "vmbr+"

Create a file called csfpost.sh in /etc/csf/ that simply allows forwarding:

#!/bin/sh 
IPT=/sbin/iptables 
$IPT -F FORWARD
$IPT -P FORWARD ACCEPT

Now your HN is protected on all interfaces, but will transparently pass traffic to and from your containers.
Configure your containers with CSF to keep them protected.

Notes
Make sure the modules needed for CSF are available to your VE's by placing the following in your /etc/vz/vz.conf:

 IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"

Also make sure that your value for "numiptent" value is around 256 or higher, the default or 128 will cause CSF to half-load on your VE's (see /proc/user_bean_counters to see if you're hitting the numiptent limit)

I've also added the above netfilter modules to my /etc/modules (1 per line). I'm not entirely sure if this is necessary. Hope this helps!

Why Firewall Servers – Importance and Benefits

Advantages of firewall:

You can filter outbound traffic.
Layer 7 firewalls (IPS) can protect against known application vulnerabilities.
You can block a certain IP address range and/or port centrally rather than trying to ensure that there is no service listening on that port on each individual machine or denying access using TCP Wrappers.
Firewalls can help if you have to deal with less security aware users/administrators as they would provide second line of defence. Without them one has to be absolutely sure that hosts are secure, which requires good security understanding from all administrators.
Firewall logs would provide central logs and help in detecting vertical scans. Firewall logs can help in determining whether some user/client is trying to connect to same port of all your servers periodically. To do this without a firewall one would have to combine logs from various servers/hosts to get a centralized view.
Firewalls also come with anti-spam / anti-virus modules which also add to protection.
OS independent security. Based on host OS, different techniques / methods are required to make the host secure. For example, TCP Wrappers may not be available on Windows machines.

Above all this if you do not have firewall and system is compromised then how would you detect it? Trying to run some command 'ps', 'netstat', etc. on local system can't be trusted as those binaries can be replaced. 'nmap' from a remote system is not guaranteed protection as an attacker can ensure that root-kit accepts connections only from selected source IP address(es) at selected times.

Hardware firewalls help in such scenarios as it is extremely difficult to change firewall OS/files as compared to host OS/files.

Disadvantages of firewall:

People feel that firewall will take care of security and do not update systems regularly and stop unwanted services.
They cost. Sometimes yearly license fee needs to be paid. Especially if the firewall has anti-virus and anti-spam modules.
Additional single point of failure. If all traffic passes through a firewall and the firewall fails then network would stop. We can have redundant firewalls, but then previous point on cost gets further amplified.
Stateful tracking provides no value on public-facing systems that accept all incoming connections.
Stateful firewalls are a massive bottleneck during a DDoS attack and are often the first thing to fail, because they attempt to hold state and inspect all incoming connections.
Firewalls cannot see inside encrypted traffic. Since all traffic should be encrypted end-to-end, most firewalls add little value in front of public servers. Some next-generation firewalls can be given private keys to terminate TLS and see inside the traffic, however this increases the firewall's susceptibility to DDoS even more, and breaks the end-to-end security model of TLS.
Operating systems and applications are patched against vulnerabilities much more quickly than firewalls. Firewall vendors often sit on known issues for years without patching, and patching a firewall cluster typically requires downtime for many services and outbound connections.
Firewalls are far from perfect, and many are notoriously buggy. Firewalls are just software running on some form of operating system, perhaps with an extra ASIC or FPGA in addition to a (usually slow) CPU. Firewalls have bugs, but they seem to provide few tools to address them. Therefore firewalls add complexity and an additional source of hard-to-diagnose errors to an application stack.

Best Answer

Related Solutions

Firewall – Virtual environment firewall with CSF + iptables rules on VM

Why Firewall Servers – Importance and Benefits

Related Topic