I’m in the process of setting up a firewall for my home network, and thinking of maybe setting it up in a VM. Currently using xcp-ng as my hypervisor.
The server has 3 ethernet cards, 2 for the firewall and 1 for the other hosts and the hypervisor.
From what I can find on the internet, there are many that say this is no problem and there are those who say that this should be avoided…
So, what do I do?
Is it safe to run a firewall inside a VM?
Any good setups that people have and have tested?
Some people prefer not to virtualize network components like gateway/router/firewall. It’s your choice, but trusting a hypervisor for that level of components can be dangerous.
From a security standpoint, running a firewall in a VM can be dangerous, because it adds more complexity and potential security holes (such as ones that haven’t been publicly disclosed). However, at the same time, it’s so darn handy to have.
I run PFSense in a HyperV instance, and it’s amazing. I love that when I fuck something up badly, I can just revert to a previous snapshot, without needing to do a complete reinstall of the O.S.
A big part of networking is about decisions like these; choosing the right balance between security and convenience.
should’nt make much of a difference, except your virtual nic appears on your network.
Imo it really boils down to, do you want the headache of just adding a new machine to your network, and this machine being reliant on another machine being turned on, before being able to even boot?
When making a network node/server you really wanna rely on something which is turned on 24/7, the pain of turning on your main machine, which after being started up, has to launch a headless installation of XyZ OS besides that, before you can reach the interwebz fx, is a slow and pain full experience. But logistically, all you’re doing is adding a new computer to your network, which the rest of your network relies on, and if not turned on, your network is down, if on it works, and bussiness is as usual.
Personally i use a raspberry pi todo my network, since it is reliable, and uses little power, and for a home network, there really isnt much compute power needed.
Can’t see much of a problem myself. There is a bit of an increased risk because you’ve got two hosts to protect from vulnerabilities (the physical and the virtual), but there’s plenty of people who do it.
You’ll just need to firewall your host’s physical internet interface in addition to the vm internet interface.
Considering all the random iot malware out there, it’s a good idea to think about that for any network interface on any device whether or not it happens to have an IP assigned.
You can buy virtual firewalls, our enterprise firewall here at work is a cloud hosted VM pair.
However a few pointers:
i’d give the VM firewall a dedicated hardware WAN interface rather than a VLAN or something on the same NIC as everything else
if you’re running on old hardware vulnerable to say, Meltdown or Spectre without patches… don’t do that. Sure, risk might be low, blah blah, but i just can not recommend putting hardware with KNOWN security vulnerabilities directly onto the internet.
keep on top of hypervisor updates. hypervisor escapes are unfortunately a thing.
Also, as per @risk above, i’d consider sticking an ACL or something on your edge router to block the obviously dodgy shit before it gets to your VM. Security is best handled in layers; you don’t HAVE to forward all the dodgy shit on the internet to your firewall, so you may as well block stuff you definitely don’t want (e.g., RFC1918 IPs, etc.) at the router.
I’d also do stuff like block HTTPS inbound to the firewall (or at least don’t run the management UI on the WAN interface, require VPN first or traffic source IP from specific destinations at least), etc.
But that’s standard firewall stuff, not VM specific.
Also, as per @risk - just because you have an edge firewall, doesn’t mean you can happily run firewall-free inside. Again… layers. Assume that one day your edge firewall might let something in, or something malicious gets inside your network (e.g., you download and install a trojan) and is running on an internal host. If you’re totally open behind the firewall, you’re boned.
If you’re not, then the damage will be limited (hopefully).