Other Virtualized FreeBSD firewall security risks?

[FlameIMP]

Hi, I would like to have a FreeBSD system running in a hyper-visor as a firewall. I'm wondering if there would be any security concerns in doing so seeing as the driver would be on the host machine. Thanks in advance.

 

[Oko]

Of course. As Theo De Raadt once famously said you expect all those software engineers who can't write a single secure application even a small piece of code to turn around and write secure hypervisor is laughable if not fullish. Running multiple mission critical services on the single hypervisor creates a point of the single failure. Imagine a small lab running firewall, LDAP server, git repository, a web server, and few other tools like monitoring and central login server on a single hypervisor. What happens to a lab if the host goes down?

Now in reality virtualization has its uses and I am using it myself. Not all hypervisors are the same when it comes to security. Do you have virtualized hardware (Sun Microsystems had some nice servers)? OpenBSD runs very well on them. Who said that OpenBSD doesn't support virtualization?

Solaris Zones is an example of well done virtualization. You can use little imaginations to think of FreeBSD jails as the virtualization. They are pretty good. Jails is one of my favourite FreeBSD tools.

From "industry standard" type 1 hypervisors I like Xen but I will concur that I have never played with WMware product. KVM is level 1.5 hypervisor. Is about as secure as the rest the Linux (not very much if you ask me). VirtualBox is laughable but nothing makes for good laugh as Linux Dockers with whatever is the backend flavour of the day (I hear they don't use Linux containers any more). It is very easy to escalate privileges in Linux container and get the root access to the host machine.

Note that FreeBSD has now Bhyve and Xen Dom0 besides Jails. The choice of FreeBSD hypervisor might depend on your familiarity with particular technology (Xen has been long time around and people are familiar with it) or the choice of your hosts (OpenBSD runs poorly as Xen DomU).

 

[robroy]

Good day FlameIMP,

Do you have a specific hypervisor in mind?

I second Oko's choice to reference Theo de Raadt's opinion on this (which seemed both accurate and funny to me). Yet I suppose one's security concerns ought to be based on the value of what one's protecting, and on one's level of willingness to invest time in to securing the whole system.

My personal anecdote in this regard is that I ran an OpenBSD Internet bastion host as a guest in an ESX VM from 2007 through 2014, and had no problems (that I knew about). The guest ran Web, DNS, mail and ssh services, and ESX was configured to make only this guest visible over my Internet connection--the ESX management services were restricted to a separate internal network. I also chose to forgo VMware Tools, since it seems like most VMware VM break-out vulnerabilities have depended on 'Tools being present in the guest.

 

[Mjölnir]

At least the packet filter should be a real single machine to provide a reasonable level of protection. It can be old cheap hardware provided that network traffic is slow compared to what the CPU can handle.
Of course, what "reasonable" means depends on your preferences. As robroy states it might be ok to virtualize the DMZ bastion host(s) if you don't need military-grade security. To virtualize the packet filter is like locking your door and then placing the key outside under the footmat.

 

[Oko]

It can be old cheap hardware

That is a very bad advise. You don't put mission critical service on the "cheap old hardware". You can get a brand new Atom based server with dual Intel 1 Gigabit controller for $200 on E-bay from whole sales retailers. If you don't have $200 to spend for such machine you are probably home user and don't need dedicated firewall anyway. Just configure your FreeBSD desktop machine which is plugged into cable box of DSL as a firewall machine for the rest of your home network.

 

[tingo]

you are probably home user and don't need dedicated firewall anyway. Just configure your FreeBSD desktop machine which is plugged into cable box of DSL as a firewall machine for the rest of your home network.

I think this part is even worse advice than the part you criticized. Ok, "home user" might mean different things to different people, but in my view "home users" are users who use various services on the Internet, without necessarily understanding how the Internet and services they use work.
And for that category user I would definitively NOT recommend setting a a combined desktop and firewall machine, they should use a dedicated box for each function.