This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Runing Sophos UTM virtualized or on dedicated hardware?

Hi!
I have a computer with a Core I7 2600K, 32GB ram, 4 Intel nics, and I'm planning to run Sophos UTM on this as my primary firewall (home use with some internal and some public servers behind).

I think it is quite a waste to use the hardware as a firewall only, I don't think Sophos need an I7 with 32GB ram, or am I wrong?

I have a little thought to run ESXI on the machine to have some more vm:s running on it in parallell with Sophos UTM.

I think the hardware can handle a one or two vm:s alongside a Sophos install..?

 

My biggest concern are the security, how secure is it to run the firewall virtualized? For some reason my heart screams a little when I'm thinking to run it virtualized, because
a dedicated approach should be more secure, because you don't expose a virtualization platform to the net as you do with a virtualized approach.

But is it common that hackers find holes on the virtualization platform and can gain access to the internal lans? How safe are virtualization platforms nowadays?

I don't think it is an uncommon approach on companies to run it virtualized, but maybe I'm wrong. This is for personal use in a home environment, but I still want secure networks.

I may run it virtualized if you say that it is safe.. :P

 

For your information: I have a 250/100Mbps fiber connection to my house.

 

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • widdde said:

    Hi!
    I have a computer with a Core I7 2600K, 32GB ram, 4 Intel nics, and I'm planning to run Sophos UTM on this as my primary firewall (home use with some internal and some public servers behind).

    I think it is quite a waste to use the hardware as a firewall only, I don't think Sophos need an I7 with 32GB ram, or am I wrong?

    I have a little thought to run ESXI on the machine to have some more vm:s running on it in parallell with Sophos UTM.

    I think the hardware can handle a one or two vm:s alongside a Sophos install..?

    My biggest concern are the security, how secure is it to run the firewall virtualized? For some reason my heart screams a little when I'm thinking to run it virtualized, because
    a dedicated approach should be more secure, because you don't expose a virtualization platform to the net as you do with a virtualized approach.

    But is it common that hackers find holes on the virtualization platform and can gain access to the internal lans? How safe are virtualization platforms nowadays?

    I don't think it is an uncommon approach on companies to run it virtualized, but maybe I'm wrong. This is for personal use in a home environment, but I still want secure networks.

    I may run it virtualized if you say that it is safe.. :P

    For your information: I have a 250/100Mbps fiber connection to my house.

    Thanks in advance! 

    Widde,

    You can run Sophos SG UTM and XG Firewall virtualized, but in your situation. To do this, you would have to allow the unfiltered traffic onto your network in order to filter it in a virtualized environment.  This is complicated and expensive for most home environments as it requires managed switches for VLANs and robust servers for virtualization.

    For most home settings, all you need to do is deploy the UTM/Firewall on a small firewall appliance in between your fiber gateway and your internal network.  The device required is very simple computer with two or more ethernet ports.  You can purchase a firewall computer with RAM and SSD installed, or you can purchase a barebones systems and add your own RAM/storage.  In most cases, you don't need a more than 8GBs of RAM or 64GB of storage.  If you have an old computer laying around, you can use that too, but be warned that UTM and XG installers wipe the hard drive during installation.

    On your fiber connection, I would recommend a Protectli Vault.  It includes multiple ports for organizing your LAN, virtualization, Wi-Fi, and other networks.  Each port will become an interface.  Each interface can have a default LAN on which you can add layers of VLANs.  In the default Gateway mode, your UTM will be the network router, and through it, you can create, manage, and combine all the interfaces, LANs, or VLANs.  You can do a lot of other things too.  If you prefer to use your existing router as the network manager, you can set the UTM in a Bridge mode.

    I moved from the Sophos SG UTM to the Sophos XG Firewall.  It was easy because they use the same appliances.  My XG Firewall is in a ZBOX CI325 Nano with 4GB RAM and a 32GB SSD connected to an Arris SurfBoard SB6190 cable modem to a on a 350Mbps cable connection.  The Zbox only has two ports WAN and LAN.  The only thing on the LAN is an Apple Time Machine in bridge mode.  This gives me two networks, the default LAN for my internal wired/wireless/backup network and Guest Wi-Fi on a separate VLAN.

  • Hi David and thanks for your response!

    Well, I'm not an ordinary home user, I already have 2x 24 ports managed switches and 4 x 8 ports managed switches.

    I currently run Sophos UTM on hardware where I can't get full speed on my 250/100 Mbps connection with IPS enabled.

    The speed drops about 100Mbps to 150Mbps, this is because snort is single threaded and therefor I planned to beef upp
    the cpu to a Core I7 (but run it in a virtualized environment). 

    I'm already running a couple of vlans in my home and will continue to do this after the change to other hardware.

     

    From my fiber connection I will connect ESXI on a dedicated network card that only the firewall will use and all other network will reside on
    another network card, the lan side, in the virtualized firewall.

    My concern is if ESXI will be a security issue because the firewall isn't the first physical box, but if ESXI doesn't listen on the interface where I plug internet in

    maybe it is a secure solution?

  • widdde said:

    Hi David and thanks for your response!

    Well, I'm not an ordinary home user, I already have 2x 24 ports managed switches and 4 x 8 ports managed switches.

    I currently run Sophos UTM on hardware where I can't get full speed on my 250/100 Mbps connection with IPS enabled.

    The speed drops about 100Mbps to 150Mbps, this is because snort is single threaded and therefor I planned to beef upp
    the cpu to a Core I7 (but run it in a virtualized environment). 

    I'm already running a couple of vlans in my home and will continue to do this after the change to other hardware.

    From my fiber connection I will connect ESXI on a dedicated network card that only the firewall will use and all other network will reside on
    another network card, the lan side, in the virtualized firewall.

    My concern is if ESXI will be a security issue because the firewall isn't the first physical box, but if ESXI doesn't listen on the interface where I plug internet in

    maybe it is a secure solution?

    Connecting the fiber gateway directly to your virtualization is super risky.  You're putting your entire virtualization setup at risk.  You really should put the UTM in its own box between your internet gateway and the network.

    The virtualization can also become a bottleneck and slow down the internet data flowing through it.  You will be tasking your CPU to do network control, IPS, and data filtering on top of the virtualization and the other OS's running in that virtualization.

    What's the point of moving to an I7 only to use a fraction of its potential in virtualization?

    Why run snort if your UTM does IPS?

    How are you receiving so much data to the internet that 100Mbps bandwidth is not enough?  What kind of data are you constantly receiving to your home that you need a full 250Mbps download?  I receive large video and database files from time to time.  That's the only reason I have 350Mbps; otherwise, 100Mbps would be more than enough.

     

  • My SOHO runs like this. Fibre modem plugs directly into Cisco switch on vlan X

    ESXI plugs into switch using a trunk port with. I actually have the ESXI server port channel (2 ports) and incoming/outgoing (WAN/LAN's) traffic flows via this ether-channel.

    Never had an issue and not really a security issue either.

  • Well, I have googled a lot today and alot of people run firewalls virtualized, where do you get the information that it is super risky and why is it super risky when

    the hypervisor doesn't listen to the net, just the firewall vm will do this.

    Regarding snort, IPS is snort in the UTM. I am running IPS on my current UTM and the IPS implementation in the UTM is running snort.

    Well, If I'm paying for 250Mbps I want to utilize all the bandwidth, don't you want to use all the available bandwidth with your connection? 
    You don't know what I do on my connection or why I want more than 100Mbps or how many users we are that is sharing this connection. My family is backing up their computers to my servers once a day and It can be large files and therefor I want more than 100Mbps. I don't understand why you think I should downgrade to 100Mbps just to fit my current box when I have a beefier computer that can run the UTM. That is just silly, I'm sorry.

    But it is not the question here, the question is if and how safe it is to run the firewall virtualized and when googling, it is not that insecure as you say what I can read.
    So if you can direct me to the information where it says it is super risky, I'm really glad to read that.

Reply
  • Well, I have googled a lot today and alot of people run firewalls virtualized, where do you get the information that it is super risky and why is it super risky when

    the hypervisor doesn't listen to the net, just the firewall vm will do this.

    Regarding snort, IPS is snort in the UTM. I am running IPS on my current UTM and the IPS implementation in the UTM is running snort.

    Well, If I'm paying for 250Mbps I want to utilize all the bandwidth, don't you want to use all the available bandwidth with your connection? 
    You don't know what I do on my connection or why I want more than 100Mbps or how many users we are that is sharing this connection. My family is backing up their computers to my servers once a day and It can be large files and therefor I want more than 100Mbps. I don't understand why you think I should downgrade to 100Mbps just to fit my current box when I have a beefier computer that can run the UTM. That is just silly, I'm sorry.

    But it is not the question here, the question is if and how safe it is to run the firewall virtualized and when googling, it is not that insecure as you say what I can read.
    So if you can direct me to the information where it says it is super risky, I'm really glad to read that.

Children
  • widdde said:

    Well, I have googled a lot today and alot of people run firewalls virtualized, where do you get the information that it is super risky and why is it super risky when

    the hypervisor doesn't listen to the net, just the firewall vm will do this.

    Regarding snort, IPS is snort in the UTM. I am running IPS on my current UTM and the IPS implementation in the UTM is running snort.

    Well, If I'm paying for 250Mbps I want to utilize all the bandwidth, don't you want to use all the available bandwidth with your connection? 
    You don't know what I do on my connection or why I want more than 100Mbps or how many users we are that is sharing this connection. My family is backing up their computers to my servers once a day and It can be large files and therefor I want more than 100Mbps. I don't understand why you think I should downgrade to 100Mbps just to fit my current box when I have a beefier computer that can run the UTM. That is just silly, I'm sorry.

    But it is not the question here, the question is if and how safe it is to run the firewall virtualized and when googling, it is not that insecure as you say what I can read.
    So if you can direct me to the information where it says it is super risky, I'm really glad to read that.

    I never said there is nothing wrong with 250Mbps.  As I said, I have a 350Mbps connection, but I don't always use the entire bandwidth.  I have another location with a 500Mbps and 1G connection which is similar to your setup and needs.  Knowing how you are using your setup helps to better help you.  I interpreted what you typed as a separate deployment of Snort.

    Regardless, any internet traffic coming to your NIC (physical or virtual) is a potential point of entry.  The NIC itself can be attacked.  Your server OS, CPU, and RAM constantly communicate with your NICs.  From there, the hacker can gain access to the bus and RAM and other parts of your entire physical machine and virtualization setup.  Every other port on the server is a potential attack surface as well.  Simply plugging in a USB stick could take dow your entire server.  The virtual UTM would not be able to detect nor prevent an attack on the hypervisor or on the physical server itself because the UTM is isolated in a virtual environment.  IF the UTM was installed directly in a firewall appliance, the UTM would protect the host computer itself.

    The other ports in to and out of your other NICs (virtual and physical) on that machine can also be attack points.  Any laptops, smartphones, tablets, or any other device (leaving your network and coming back to it on the wireless or wired side) can each be a carrier of malware that will enter your network from the internal Wi-Fi or switching.  Any new device you add to your internal network can be a new attack vector from within.  Depending on your particular setup, Your UTM may or may not be able to detect or deter this from hurting you internally.  This particular UTM setup will only ensure the internet traffic coming in and going out is clean.

    The only way to prevent this kind of attack is to deploy a physical UTM or firewall in front of the virtual server or use security software on the physical host itself.  Sophos makes an agent that sits between BIOS and the OS/Hypervisor to protect the physical server as well as the OS, the hypervisor, and the virtual machines within; but you have to purchase this.  I have covered many datacenter with virtualization.  Your virtual UTM will do nothing to protect its physical machine or the hypervisor hosting the virtual machines within.

  • Okey, thanks for your response.
    I know that every device in the network and devices that is carried out of the network can be potential dangerous, but somewhere we have to draw a line. This is my home network and I can't be that paranoid with phones carried in and out of the network and so on.

    But I understand your point to not virtualize Sophos and it was this answer I was looking for. I think I will run UTM on dedicated hardware. Right now it is running on a box with a J1900 celeron (I think it is 2Ghz per core) and 8 GB ram. As I have understood IPS can run multiple instances of snort and when I do a benchmark test of my speed I can't get more than 150Mbps on that particular connection, but when surfing on other sites while doing a test I can get more bandwidth because another core will take care of that connection. Am i right?

    It felt wrong to virtualize the firewall, but I wanted more information regarding this issue and exactly how insecure it is to expose the hypervisor. 

    I have 2 servers running ESXI and both of them are behind my dedicated UTM today, and I think I will keep it that way. Maybe I use my Core I7 with yet another ESXI install and run some vm:s on it and keep my J1900 celeron box to continue to run Sophos on it (dedicated)

  • Dude, that was all FUD.  VM escape attacks are rare and you are not going to be targeted by these.  Just run it virtualized and be done with it.  VLAN your switch if you cannot physically segment and you will be fine.

  • Okey, I see, thanks for your response. 
    I don't know what to think. Half the net seem to say it is totally ok to run it virtualized, and the rest
    says it is super insecure.

    My switches will be behind the lan of the Sophos UTM, the ESXI box will have one of its nic direct connected to
    the fiber box (to the net) and this network card will only be used by Sophos UTM VM. On the lan side of the UTM
    i will divide my network in some more VLANS..

     

    (Fiber box (internet)) -> ESXI box with a nic connected to Sophos UTM VM -> Lan side with x VLANS -> Switches that have VLAN configurations -> servers and clients on different vlans. (The UTM has the rules which computer can talk to which server and so on so all traffic will go through the UTM between the VLANS)

    I can see why people think this can be dangerous, because the ESXI box with it's OS is connected physically to the net running a virtual firewall,

    but if nothing in ESXI host is listening on the card that is connected to the WAN NIC in my ESXI, how insecure is that?

  • darrellr said:

    Dude, that was all FUD.  VM escape attacks are rare and you are not going to be targeted by these.  Just run it virtualized and be done with it.  VLAN your switch if you cannot physically segment and you will be fine.

     

    I completely agree!

     

    i run this on my home lab on 3 locations, all virtual and in vmware, We even have 100s of virtual UTM at customer sites. So dedicated HW at home for UTM is so last year, IF you have a big server for that - my oppinion :-)

    But it takes at little more experience with vmware, but if your physical server has two nics, there is no need to go down that vlan road :-)

    I needed to go with this CPU to make IPS / snort fully support my 300MB connection :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • Thanks for your response!

     

    My server has 4 physical Intel NICS. One of them will be used only by the Sophos UTM. (And regarding the CPU I will only run one or two small VM:s on the server
    and Sophos UTM of course)
    Unfortuneately I can't pass through the network card to the Sophos VM, because my Core I7 2600k does not have Vt/d (the k model does not have this)

    Will this be an issue?

  • widdde said:

    Thanks for your response!

     

    My server has 4 physical Intel NICS. One of them will be used only by the Sophos UTM.
    Unfortuneately I can't pass through the network card to the Sophos VM, because my Core I7 2600k does not have Vt/d (the k model does not have this)

    Will this be an issue?

     

    Absolutely not, just create a new vSwitch in VMWARE and add the physical nic to it, after that, create a new nic in the SOPHOS VM thats assignes to the new vswitch port group :-)

    VMDirectPath is only needed in specialt setups ex. graphics VDI aso.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • Thank you!
    Will try this in my labbox first! :)

  • widdde said:

    Okey, thanks for your response.
    I know that every device in the network and devices that is carried out of the network can be potential dangerous, but somewhere we have to draw a line. This is my home network and I can't be that paranoid with phones carried in and out of the network and so on.

    But I understand your point to not virtualize Sophos and it was this answer I was looking for. I think I will run UTM on dedicated hardware. Right now it is running on a box with a J1900 celeron (I think it is 2Ghz per core) and 8 GB ram. As I have understood IPS can run multiple instances of snort and when I do a benchmark test of my speed I can't get more than 150Mbps on that particular connection, but when surfing on other sites while doing a test I can get more bandwidth because another core will take care of that connection. Am i right?

    It felt wrong to virtualize the firewall, but I wanted more information regarding this issue and exactly how insecure it is to expose the hypervisor. 

    I have 2 servers running ESXI and both of them are behind my dedicated UTM today, and I think I will keep it that way. Maybe I use my Core I7 with yet another ESXI install and run some vm:s on it and keep my J1900 celeron box to continue to run Sophos on it (dedicated)

     

     
    Widde,
     
    The throughput test results and limits vary depending on many factors.  When using the macOS Speedtest app from Ookla, I get 100Mbps if FTP scanning, IPS, and other options are on.  With certain settings off, the test shows my full 350Mbps bandwidth.  Regardless of these settings on or off, I get the full 350Mbps results if I use the Ookla website http://beta.speedtest.net to test. That's because the only Traffic Shaping I have on Web Scanning is VOIP priority.
     
    I agree that having the UTM at the head of your network in Gateway mode is best.  This is not just for security reasons. This is because it allows you to use the UTM for what it is built for.  If the UTM was internal with nothing at your "head", I would deploy something extra to protect the Host Server, its OS, and the Hypervisor; like Sophos Server Protection or VMWARE NSX.  That would protect everything on the server as well as flowing through it.  This would also protect the UTM and eliminate many of the self-protection features you have activated in your virtual UTM - allowing your UTM to run super lean and focus on protecting what is down the internal network instead of protecting the individual VM it is in.
     
    As far as virtualization vs physical, all I'm saying is that a virtual deployment of the UTM isn't going to protect everything.  Depending on the specific issues and threats you identify, this setup may or may not be a good idea.  A virtual UTM will protect the communication and devices on network connected to it.  The virtual UTM can't protect the physical host it is in nor the hypervisor managing it's virtual state.  It also can't protect the physical NICs, USB, bluetooth, Wi-Fi, or other ports/networks on the server, whether it uses them or not.
     
    In other words:
    1. Is the UTM and it's assigned network safe?  Sure.  It's safer than not having the virtual UTM inline.  There are still so many ways malware can creep in through memory, hypervisor, physical host ports, KVM, and remote/virtual desktops connections.
     
    2. Is the host server and its virtualization environment safe?  What about the other networks/devices not connected through the virtual UTM?  NOPE, not unless you have something else covering those.  In reality, you do to a certain degree.  Most vendors require or recommend you run on Intel chips. A big reason is so that the built-in McAfee security system can hopefully catch and stop certain malware before it corrupts key processes, but this is not an all inclusive protection system to be relied upon by itself.
     
    DarrellR claims that VMWare attacks are rare.  If that is so, why is WMWare, Sophos, Symantec, Palo Alto, and so many major security vendors in a rush to ensure they have virtualization covered?  Well, it's because virtualization is the easiest and fastest way to deploy malware, specifically ransomware.  It's so easy to do.  Any Keyboard/Mouse/Video or connection can allow malware to inject into your VMWare because it connects to the VM holding the UTM, not to the UTM.  Any USB, network, or optical drive connection can also provide the same problems in the same ways.  All these vector I mentions can be in one single virtual desktop client.  Your shared resources of CPU, RAM, and storage systems NAS/SAN can also be a vector for injection.  The list goes on and on.
     
     
  • David Birdsall said:
    DarrellR claims that VMWare attacks are rare.  If that is so, why is WMWare, Sophos, Symantec, Palo Alto, and so many major security vendors in a rush to ensure they have virtualization covered?  Well, it's because virtualization is the easiest and fastest way to deploy malware, specifically ransomware.  It's so easy to do.  Any Keyboard/Mouse/Video or connection can allow malware to inject into your VMWare because it connects to the VM holding the UTM, not to the UTM.  Any USB, network, or optical drive connection can also provide the same problems in the same ways.  All these vector I mentions can be in one single virtual desktop client.  Your shared resources of CPU, RAM, and storage systems NAS/SAN can also be a vector for injection.  The list goes on and on.
     

     

    Virtualization is covered because it sells agents.  FUD sells agents.  Do you have any evidence that virtualization escapes are NOT rare?  What the hell does virtualization have to do with malware/ransomware spreading?  Where are you seeing this as an attack vector?  The MOST likely method of infection will be phishing or drive-bys on websites.  Some consumer gateways have vulnerabilities that leads to c2 infections.  But vm escapes or attacks on the hypervisor from a guest machine just don't happen.  Imagine the fallout if those were common.  Hosting companies would be shutting down en mass.   VMware would be out of business.  Amazon would have to shut down AWS.  Seriously.  This is FUD, pure and simple (at least until it is not).  For a home user, dedicating all that hardware to a UTM is a waste of resources.  They are far more likely to visit a shady p0rn site or get hit with malvertising or have an asteroid fall on their house than they are to be compromised by a vm escape attack these days.

    Again, what you are recommending is solid for large business, but SMB and definitely home, this is good enough.