[BBLISA] Advice on a firewall Virtual Appliance
Matt Finnigan
mfinnigan at gmail.com
Fri May 31 17:19:18 EDT 2013
On Fri, May 31, 2013 at 5:11 PM, Edward Ned Harvey (bblisa4) <
bblisa4 at nedharvey.com> wrote:
>
> Be aware, that for a security device, you're not supposed to run it as a
> VM, just because you might be vulnerable to hypervisor attacks and so
> forth. But as long as you take that into consideration - I do it myself.
>
> (Sorry, Ned, meant to reply on-list, but just replied to you.)
That's not a very compelling argument. I've been at firms that deployed
VM-based security devices and passed audits. Plenty of vendors have OVA/OVF
versions of their appliances. You have to secure your hypervisor layer,
just like you have to secure the physical environment for physical hardware
devices.
Aaron - not knowing your budget, it's tough to make recommendations. At my
last place, we used these :
http://www.juniper.net/us/en/products-services/security/vgw-series/
But that's just a firewall, AFAIK - it doesn't also handle remote
access/VPN.
On Fri, May 31, 2013 at 5:11 PM, Edward Ned Harvey (bblisa4) <
bblisa4 at nedharvey.com> wrote:
> > From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
> > Behalf Of Aaron Macks
> >
> > I'm going to be setting up a small stand-alone virtual environment soon.
> > My instinct is to make a VM based on iptables and ipmasq to act as a
> > gateway/firewall for the rest of the VMs, but it occurs to me that there
> > may now be better virtual firewalls out there. Note that it doesn't
> > have to be a virtual appliance that just gets uploaded and booted,
> > something installable is fine, but I want something more specialized
> > then plain Linux. Does anyone have any suggestions?
>
> Be aware, that for a security device, you're not supposed to run it as a
> VM, just because you might be vulnerable to hypervisor attacks and so
> forth. But as long as you take that into consideration - I do it myself.
>
> I recommend and use pfSense. (There are others out there, such as
> monowall, which I think pfsense is based on, but I prefer pfsense over
> monowall.)
>
>
> > Required features: VPN (IPSEC ideally, SSL-based acceptable, PPTP not
> > acceptable), port forwarding, NAT, other normal firewall stuff
>
> For site-to-site, the IPSec is present, and ideal. For mobile
> connectivity, IPsec can be used ... but it's not ideal due to complexity of
> configuring clients, and difficulty finding good clients. For mobile
> connectivity, I would say look at openvpn instead (or in addition to) the
> ipsec mobilevpn solution. It's SSL based. In the pfsense, you can install
> the openvpn plugin (I forget what it's called exactly, but if you just look
> under the installable modules page, you should find it easily.) Then with
> a few clicks on the web interface, you create your CA, you create some
> users, create certs for those users, and download the per-user config files
> and cert files needed by the openvpn client or tunnelblick.
>
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bblisa.org/pipermail/bblisa/attachments/20130531/83ff6039/attachment.htm
More information about the bblisa
mailing list