VMware hosting smoothwall - security concerns

Discussion in 'Networking, Telephony & Internet' started by Aetherone, Sep 7, 2008.

  1. Aetherone

    Aetherone Member

    Joined:
    Jan 15, 2002
    Messages:
    8,542
    Location:
    Adelaide, SA
    note: I'm not sure quite where this belongs, but here will do for now.

    As prompted by the thread here -> http://forums.overclockers.com.au/showthread.php?p=9344513#post9344513

    I'd like to enter into discussion on the perils of running an operational smoothwall (or any other purposed distro) in a VM, purely as an intellectual exercise.

    The situation I'll propose is this: one VM host, running a Windows based OS (but virtually anything applies I guess). Two network cards, one connected to the WAN and the other connected to the LAN.

    Now, connecting a Windows (or virtually any) box directly & unsheilded to the Internet is asking for trouble, so I propose that for the WAN-NIC, all protocols other than the "VMware Bridge Protocol" be unbound from the NIC. This is the essential bit - as with minimal protocols bound, there's almost nothing to attack except for the VMware bridge protocol. I am not sure about the security implications of running this alone, but I suspect they're trivial to non-existant given the increasing popularity of VM'ing at the enterprise level. Certainly there may be exploits targeting this (already? future?), but are they any more likely to develop than an exploit attacking something else on the machine?

    The LAN-NIC is left at defaults such as may be used by someone at home (IPv4, Client for MS networks, F&P Sharing, QoS Packet Scheduler)

    What I'm trying to get at is: with such modifications in place to the HOST os, is running your smoothie as a VM (instead of on bare metal) really such a significant security issue? (and very preferably how!).

    Does VM network still function if its the only bound protocol on a NIC?

    Assuming such a setup, can you pull on a black hat and suggest how such a system might be successfully attacked?

    Is it possible to tell that a machine is VM or metal from the outside?

    Is it possible to break out of the VM sandbox and attack other VMs or host OS'es through the VM or do you have to resort to using network protocols as if the systems were hardware distinct?

    Is the VM host any more likely to be targeted than another machine inside the network?
     
  2. flu!d

    flu!d Ubuntu Mate 16.04 LTS

    Joined:
    Jun 27, 2001
    Messages:
    13,120
    While virtual machines are fairly straightforward they are still relatively new technology to me, even though my own VM server is allmost setup and ready to replace my 3 aging proliants in the equipment rack, therefore I prefer to keep the Smoothie separate from the Server 2003 based machine(s). There is a thread in the smoothwall forums relating to such a setup as seen here:

    http://community.smoothwall.org/forum/viewtopic.php?f=20&t=29273

    As you can see, while some people say it cannot be done, some say it certainly can be done and is secure if done correctly.

    While i'm not ready to virtualize my Smoothie just yet, this is an interesting thread worth watching.
     
    Last edited: Sep 7, 2008
  3. OP
    OP
    Aetherone

    Aetherone Member

    Joined:
    Jan 15, 2002
    Messages:
    8,542
    Location:
    Adelaide, SA
    Result: yep, it works fine

    I do quite a lot of playing around with smoothwall in VMware, its function appears to be quite normal and performance has not been an issue so far.
     
  4. flu!d

    flu!d Ubuntu Mate 16.04 LTS

    Joined:
    Jun 27, 2001
    Messages:
    13,120
    Atherone, how do you set up the NIC's?

    Are they bridged or host only? As obviously NAT would raise security concerns?

    Matt.
     
  5. stmok

    stmok Member

    Joined:
    Jul 24, 2001
    Messages:
    8,877
    Location:
    Sydney
    I always have a dedicated security device sitting in front of desktop boxes. (Say a low powered system like VIA C3/C7 or Intel Atom based solution. Or a WRT54GL).

    I wouldn't virtualise, when it comes to security. For compatibility, interoperability, and education? Yes. For Security? No. The more stuff you put on a system, the more potential holes you introduce.

    Security Advisories
    => http://www.vmware.com/security/advisories/

    Look through them to get a feel of the kind of potential issues to expect with VMware.
     
  6. OP
    OP
    Aetherone

    Aetherone Member

    Joined:
    Jan 15, 2002
    Messages:
    8,542
    Location:
    Adelaide, SA
    typically when I'm playing around with SW its to bridge between a virtual network (other VMs) and a real one, so one NIC is bridged and the other(s) set to a "custom: specific ..." network

    In the situation being discussed, both NICs are bridged. The red interface is on the WAN-NIC (which is bound to VM protocol only) and the green interface to the LAN-NIC. THe host cannot use WAN-NIC, but has full access to LAN-NIC

    Thanks for the link, they make some interesting reading. It would seem relevant to note that many of the most critical issues seem to be based around local users doing naughty things, which indicates the attack must come from within the guest, which I interpret as meaning your smoothie needs to be hacked first. I'm still reading, but yet to find an entry where the hole is in the VM surface itself.
     
  7. stalin

    stalin (Taking a Break)

    Joined:
    Jun 26, 2001
    Messages:
    4,581
    Location:
    On the move
    Red Hat offer a multi-level security architecture system (multi-level is a specific term in relation to security classification levels). They offer this with Vmware Workstation and SELinux, its intended use if for example. Having In-confidence and Protected information on the same system, seperated via Vmware and protected by SElinux.

    From this you can sumize that vmware/virtualisation alone is not a sufficent level of protection.

    I would agree with that idea for my workplaces at least...

    If that matters for a regular home user.. well thats up to you. I have a standard little screening system at the front, and then have virtualised protection systems (lots of them). (I use Xen with AppArmor on both hosts and guests)

    If your would be attacker can break out of your virtual environment, AND be able to control another host, your standard security controls probably aren't strong enough to protect you from them anyway.

    Im amougst the most 'paranoid' (knowledgable in how easy it is to break things ;)) regarding security, and this is a risk I accept for my home information, and some personal business requirements.
     
  8. Gecko

    Gecko Member

    Joined:
    Jul 3, 2004
    Messages:
    2,715
    Location:
    Sydney
    I've done it before in a pinch (was out at a site where the router box died and I couldn't get a new one out there for at least a week), however I wouldn't recommend it.

    Main reason for staying away is its very easy to make a slight config mistake (like I did in one of my test environments - luckily not production) and allow traffic from the outside world to see the underlying OS.

    Another possible option is to have a basic home router in between the internet and your box and then just use the Smoothwall VM for things like QoS etc.
     
  9. neotheo

    neotheo Member

    Joined:
    Jan 26, 2005
    Messages:
    278
    Location:
    ~
    With it setup correctly, there isnt an issue. I suggest you test and learn before you actually use it outside of the test environment.
     
  10. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,293
    Location:
    Canberra
    i think you meant to say:

    my recommendation is that in a production environment, keep the bastards separate.

    comm's gear should always be the first thing to come up and the last thing to go down.

    this then comes back to network monitoring (which there is also another thread in the forums about).

    for a small office, i can see the reasoning behind using this setup, but the business must make that decision after doing a RA.

    coming from a similar standing point to Stalin:
    The clincher for me is that if someone finds a weakness in your deployment and decides to DOS your virtual machine firewall, there are many issues that can crop up esp with things like tick count, time slips and interrupt sharing. All of these things WILL consume resources on your hypervisor and WILL cause issues for other virtual machines (if not properly addressed during the design phase).

    perfect example is a ESX hypervisor with a debian 4 guest VM, if not using clock=pit on init and using a decent NTP server, the debian 4 VM will time slip if it has to wait due to kernel interrupts. Windows is slightly more behaved, but things like this can cause issues on a network that hasn't been properly thought out.
     
  11. stalin

    stalin (Taking a Break)

    Joined:
    Jun 26, 2001
    Messages:
    4,581
    Location:
    On the move
    http://rationalsecurity.typepad.com/blog/vmware/index.html

    Vmware escaping - though more malware related:
    http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

    Have a read of what Chris Hoff presented at Blackhat a significant paper discussing virtualisation security "The Four Horsemen of the Virtualization Security Apocalypse"


    This is an addendum to my comments earlier regarding the multi-level system, this relates to US, not Aus:
    My understanding was Red Hat was planning to trial their solution with the US Navy at the recent RimPac excersise, though my 'sources' tell me that didn't happen, though not sure the reasoning.

    You may like to look at the following DISA STIG:

    US Dept of Defence (Defence Information Systems Agency): Security Technical Implementation Guide (draft-only, attached, and below)
    http://iase.disa.mil/stigs/draft-stigs/Virtual-Computing-STIG-V1R01.doc

    And have a read of these:
    Reflex Security: Virtual Security Appliance: http://www.reflexsecurity.com/reflex_vsa.php
    Whitepaper: http://www.reflexsecurity.com/downloads/whitepapers/security_virtualized.pdf

    Also to quote (with edits) another gentlemen (can't reference source as its a restricted access site):


    Go go Security.

    using Vmware increases your risks, just like using some other additional bit of software does, the question is, does the benefit out weigh the risks? for 99% yes. for 1% no.

    Most of my work places are in the 1%, some other places I work, and home are in that 99%.
     
    Last edited: Sep 8, 2008
  12. HyRax1

    HyRax1 ¡Viva la Resolutión!

    Joined:
    Jun 28, 2001
    Messages:
    7,874
    Location:
    At a desk
    Yeah, I'd dedicate a box to security too. No telling how someone might find a vulnerability in a VM implementation and somehow hit the hypervisor, then all your VM's on that box are in trouble.

    Aside from that, though - the hackers must be slacking off. I built a test Ubuntu Server box last night and opened SSH to the Interwebs. Took a whole 3 and a bit hours for someone in China to notice it and to try logging in with a dictionary attack.

    I was used to something happening within 10 minutes, previously! :D
     
  13. stalin

    stalin (Taking a Break)

    Joined:
    Jun 26, 2001
    Messages:
    4,581
    Location:
    On the move
    I would get it moved to the Busyness and Enterprise forum... this ain't really, Networking and Internet.
     
  14. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,293
    Location:
    Canberra
    hmmm, i virtualise my DMZ boxes, but before doing so i make sure that they are behind several seperate layers of security and that content checking is completed before a request arrives at the target server.

    things like apache reverse proxy + mod_security are very handy for terminating an SSL connection, from here you would pass the clear text http request through an IPS before going to the target server.

    on top of the above, you would employ decent coders in the first place who understand how to write code in a secure manner incorporating things like bounds checking and input sanitisation.

    sorry for going off OT, just my morning rant....

    still.... I wouldn't virtualise a network security device or network routing equipment.
     
  15. Annihilator69

    Annihilator69 Member

    Joined:
    Feb 17, 2003
    Messages:
    6,032
    Location:
    Perth
    What if you're running VMware server on say a locked down debian box, rather then then a Windows box?
     
  16. lavi

    lavi Member

    Joined:
    Dec 20, 2002
    Messages:
    4,004
    Location:
    Brisbane
    a locked down box (connectivity) is when you unplug the cable
     
  17. Psycronic

    Psycronic Member

    Joined:
    Sep 23, 2003
    Messages:
    347
    Location:
    Penrith
    had a teacher at my high school that followed that line of thinking security wise.

    so the best security solution was to remove the power cable, that way none of us could stuff the box.
     
  18. HyRax1

    HyRax1 ¡Viva la Resolutión!

    Joined:
    Jun 28, 2001
    Messages:
    7,874
    Location:
    At a desk
    You're forgetting the first most-important part of security - it's not the cable, it's physical access. You can still stuff that box by dropping it! ;)
     
  19. PsyKo-Billy

    PsyKo-Billy Member

    Joined:
    Jan 6, 2002
    Messages:
    2,712
    Location:
    Townsville
    So how secure is a a physical smoothwall box anyway?
     

Share This Page

Advertisement: