[BBLISA] Advice on a firewall Virtual Appliance

Aaron Macks upelluri at gmail.com
Fri May 31 18:03:29 EDT 2013 

For this project, something like a 'datacenter in a box', the budget is
$0.

PFSense is one of the front-runners for the moment

A

On 5/31/13 5:19 PM, Matt Finnigan wrote:
> On Fri, May 31, 2013 at 5:11 PM, Edward Ned Harvey
> (bblisa4) <bblisa4 at nedharvey.com <mailto:bblisa4 at nedharvey.com>> wrote:
> 
> 
>     Be aware, that for a security device, you're not supposed to run it
>     as a VM, just because you might be vulnerable to hypervisor attacks
>     and so forth.  But as long as you take that into consideration - I
>     do it myself.
> 
> (Sorry, Ned, meant to reply on-list, but just replied to you.)
> 
>  That's not a very compelling argument. I've been at firms that deployed
> VM-based security devices and passed audits. Plenty of vendors have
> OVA/OVF versions of their appliances. You have to secure your hypervisor
> layer, just like you have to secure the physical environment for
> physical hardware devices. 
> 
> Aaron - not knowing your budget, it's tough to make recommendations. At
> my last place, we used these
> : http://www.juniper.net/us/en/products-services/security/vgw-series/
> But that's just a firewall, AFAIK - it doesn't also handle remote
> access/VPN. 
> 
> 
> On Fri, May 31, 2013 at 5:11 PM, Edward Ned Harvey (bblisa4)
> <bblisa4 at nedharvey.com <mailto:bblisa4 at nedharvey.com>> wrote:
> 
>     > From: bblisa-bounces at bblisa.org <mailto:bblisa-bounces at bblisa.org>
>     [mailto:bblisa-bounces at bblisa.org <mailto:bblisa-bounces at bblisa.org>] On
>     > Behalf Of Aaron Macks
>     >
>     > I'm going to be setting up a small stand-alone virtual environment
>     soon.
>     >  My instinct is to make a VM based on iptables and ipmasq to act as a
>     > gateway/firewall for the rest of the VMs, but it occurs to me that
>     there
>     > may now be better virtual firewalls out there.  Note that it doesn't
>     > have to be a virtual appliance that just gets uploaded and booted,
>     > something installable is fine, but I want something more specialized
>     > then plain Linux.  Does anyone have any suggestions?
> 
>     Be aware, that for a security device, you're not supposed to run it
>     as a VM, just because you might be vulnerable to hypervisor attacks
>     and so forth.  But as long as you take that into consideration - I
>     do it myself.
> 
>     I recommend and use pfSense.  (There are others out there, such as
>     monowall, which I think pfsense is based on, but I prefer pfsense
>     over monowall.)
> 
> 
>     > Required features: VPN (IPSEC ideally, SSL-based acceptable, PPTP not
>     > acceptable), port forwarding, NAT, other normal firewall stuff
> 
>     For site-to-site, the IPSec is present, and ideal.  For mobile
>     connectivity, IPsec can be used ... but it's not ideal due to
>     complexity of configuring clients, and difficulty finding good
>     clients.  For mobile connectivity, I would say look at openvpn
>     instead (or in addition to) the ipsec mobilevpn solution.  It's SSL
>     based.  In the pfsense, you can install the openvpn plugin (I forget
>     what it's called exactly, but if you just look under the installable
>     modules page, you should find it easily.)  Then with a few clicks on
>     the web interface, you create your CA, you create some users, create
>     certs for those users, and download the per-user config files and
>     cert files needed by the openvpn client or tunnelblick.
> 
> 
>     _______________________________________________
>     bblisa mailing list
>     bblisa at bblisa.org <mailto:bblisa at bblisa.org>
>     http://www.bblisa.org/mailman/listinfo/bblisa
> 
> 

-- 
_______________________________________________________
Aaron Macks(aaronm at wiglaf.org) [http://www.wiglaf.org/~aaronm ]
My sheep has seven gall bladders, that makes me the King of the Universe!

More information about the bblisa mailing list