The pfSense Store

Author Topic: VMware - better security with vt-d PCI pass throug  (Read 1745 times)

0 Members and 1 Guest are viewing this topic.

Offline Tubs

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +0/-0
    • View Profile
VMware - better security with vt-d PCI pass throug
« on: December 15, 2012, 12:43:16 pm »
Hallo,

I know. A firewall should run on bare metal for security reason. If it runs in as virtual machine (VMware, XEN, ...) the host could be attacked.

But as a home user I also have to take care about the WAF (women acceptance factor). And here the possible number of boxes is limited. Additionally it saves energy to run couple of machines as virtual machine in only one box.

Now I am interested in if it gives more security when the box supports vt-d PCI pass through and if I forward the NIC directly to the VM with pfsense? In this case the possibility to attack the host is reduced. Or am I wrong?

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5240
  • Karma: +10/-1
    • View Profile
Re: VMware - better security with vt-d PCI pass throug
« Reply #1 on: December 16, 2012, 01:55:29 pm »
I don't know the specifics of VMware but it seems to me that "PCI passthrough" (where a guest operating system has exclusive control of a device) should overcome the objection to running firewalls in virtual machines: the host OS becomes vulnerable to attack if it is doing packet handling before the firewall.

The passthough can help in configuration: the pfSense forums have a number of reports of people who have had trouble configuring their "virtual networking" in a VM environment.

Offline Tubs

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +0/-0
    • View Profile
Re: VMware - better security with vt-d PCI pass throug
« Reply #2 on: December 18, 2012, 01:58:37 pm »
I don't know the specifics of VMware but it seems to me that "PCI passthrough" (where a guest operating system has exclusive control of a device) should overcome the objection to running firewalls in virtual machines:

This is what I guess. Gut guessing means not knowing. So, I'm loocking for someone who knows if pci pass through of the NIC to the gues with pfsense will bring more security.

Offline matguy

  • Full Member
  • ***
  • Posts: 253
  • Karma: +0/-0
    • View Profile
Re: VMware - better security with vt-d PCI pass throug
« Reply #3 on: December 18, 2012, 03:22:07 pm »
In theory land, sure, VT-d might theoretically give you a lower attack surface, but in reality, it shouldn't be any more secure than a standard vNIC / vSwitch setup as long as your WAN connection doesn't also have the VMWare Service Console available on it, which it shouldn't.  In the theoretical order of attack surfaces, having a separate vSwitch with just the one pfSense firewall WAN side connected internally and a physical NIC should be the next best secure level; followed by a WAN port group and using VLAN's to separate out your WAN traffic.

All of those, however, in reality land, should be perfectly secure, especially for a home.

Someone correct me if I'm wrong, but I'm pretty sure that security hasn't been historically the main push for using pfSense on bare metal, but more of the performance in high bandwidth situations.  People might get the knee jerk reaction for security, or make that kind of decision based on a policy in a company, but there are relatively few, if any, attacks that would be exploitable because pfSense was running on a VM.  Now, there could be some kind of Denial Of Service attack that could possibly be exploitable, but I haven't seen any of those either.

A lot of very large companies run servers on VMWare ESX hosts, some of these companies have very over-the-top security practices, and they're fine with VMWare.

Unless you're worried about actually saturating a Gb NIC with traffic, I would not put out the extra expense nor effort to run the WAN NIC via VT-d.  At this point, I don't think anyone could point to a real reason to claim that networking in VMWare is insecure ("real reason" equals demonstratable exploits, not FUD.)

Just to re-state, though, please don't advertise your VMWare Service Console to the outside world, though.  That's not secure.