-
Be the first to like this
Upcoming SlideShare
Firewalls and Virtualization - pfSense Hangout June 2014
- 1. June 2014 Hang Out Firewalls and Virtualization Chris Buechler
- 2. Project News ● Training registration now open ○ August 1-2 ○ September 5-6 ○ In-person, in Austin, Texas ○ https://www.pfsense.org/university/ ● 2.1.4 release available ○ Release notes at blog.pfsense.org
- 3. Virtualization Overview ● Means of running multiple OSes on a single piece of hardware ● Types 1 and 2, 0? 1.5? ● Desktop class ● Server class
- 4. Virtualization Usage Scenarios ● Production systems ● Testing and development environments ● Fun but ugly hacks
- 5. Virtualization Security ● Are virtual firewalls secure? ○ it depends ● Hypervisor vulnerabilities ○ Guest to host ○ Guest to guest ● More subject to human error
- 6. Virtual Networking - Desktop ● Bridged ● NAT ● Host-only ● Internal
- 7. Virtual Networking - Bridged ● Put VM on the same broadcast domain as a physical NIC
- 8. Virtual Networking - Bridged
- 9. Virtual Networking - Bridged ● Caveats with wireless ● Be careful! ○ More damage potential than other options ○ Rogue DHCP servers ○ IP conflicts ○ CARP VHID conflicts ○ Layer 2 loops
- 10. Virtual Networking - NAT ● Share host’s IP(s) ○ including (some) VPNs ● Easiest to deal with at times ● Separate broadcast domain safer ● NAT router inside hypervisor ● Complications reaching VM from physical network
- 11. Virtual Networking - NAT
- 12. Virtual Networking - Host-only ● Allow connectivity to host ● No outside connectivity ○ provided by hypervisor at least
- 13. Virtual Networking - Internal ● No connectivity to host ○ on that vswitch at least
- 14. VirtualBox Networking demo
- 15. VMware Workstation Networking demo
- 16. Parallels and VMware Fusion ● Same basic capabilities of others ○ Bridged ○ NAT (“Shared”) ○ Host-only
- 17. Host OS Network Configuration demo
- 18. Virtual Networking - Server ● Concepts ● VLAN handling ● NIC PCI passthrough
- 19. Virtual Networking - ESX ● vSwitches ○ None, one or more associated physical NICs ○ Port groups within vswitches ■ optionally with VLAN ID ■ Can pass all tagged VLANs demo
- 20. Virtual Networking - HyperV ● Three types ○ External - bridged to physical NIC ○ Internal - bridged to virtual NIC on host (“host-only”) ○ Private - VM-only, no host connection demo
- 21. Virtualizing Production Firewalls ● Can be great fit ○ but not always ● Need firewall to manage virtualization environment? Keep at least 1 physical firewall!
- 22. Virtualizing Production Firewalls ● Typical basic architecture
- 23. Performance Considerations ● Some overhead vs. bare metal ○ many times doesn’t matter ○ could be faster (vs. bare metal on slower hardware)
- 24. Performance Considerations - HA ● Promiscuous mode often required for anything using virtual MACs ○ CARP, VRRP, HSRP ○ One MAC, or all the MACs ● With high traffic, can flood firewall NIC
- 25. Test and Development Environments
- 26. High Availability Considerations ● Hypervisor-level HA not a replacement for pfSense HA
- 27. Virtual Hacks ● In a bind? Need a quick temporary fix?
- 28. Questions? Feedback, comments, suggestions welcome to gold@pfsense.org
Login to see the comments