Runing Sophos UTM virtualized or on dedicated hardware?

widdde said:

Hi!
I have a computer with a Core I7 2600K, 32GB ram, 4 Intel nics, and I'm planning to run Sophos UTM on this as my primary firewall (home use with some internal and some public servers behind).

I think it is quite a waste to use the hardware as a firewall only, I don't think Sophos need an I7 with 32GB ram, or am I wrong?

I have a little thought to run ESXI on the machine to have some more vm:s running on it in parallell with Sophos UTM.

I think the hardware can handle a one or two vm:s alongside a Sophos install..?

My biggest concern are the security, how secure is it to run the firewall virtualized? For some reason my heart screams a little when I'm thinking to run it virtualized, because
a dedicated approach should be more secure, because you don't expose a virtualization platform to the net as you do with a virtualized approach.

But is it common that hackers find holes on the virtualization platform and can gain access to the internal lans? How safe are virtualization platforms nowadays?

I don't think it is an uncommon approach on companies to run it virtualized, but maybe I'm wrong. This is for personal use in a home environment, but I still want secure networks.

I may run it virtualized if you say that it is safe.. :P

For your information: I have a 250/100Mbps fiber connection to my house.

Thanks in advance! 

Widde,

You can run Sophos SG UTM and XG Firewall virtualized, but in your situation. To do this, you would have to allow the unfiltered traffic onto your network in order to filter it in a virtualized environment.  This is complicated and expensive for most home environments as it requires managed switches for VLANs and robust servers for virtualization.

For most home settings, all you need to do is deploy the UTM/Firewall on a small firewall appliance in between your fiber gateway and your internal network.  The device required is very simple computer with two or more ethernet ports.  You can purchase a firewall computer with RAM and SSD installed, or you can purchase a barebones systems and add your own RAM/storage.  In most cases, you don't need a more than 8GBs of RAM or 64GB of storage.  If you have an old computer laying around, you can use that too, but be warned that UTM and XG installers wipe the hard drive during installation.

On your fiber connection, I would recommend a Protectli Vault.  It includes multiple ports for organizing your LAN, virtualization, Wi-Fi, and other networks.  Each port will become an interface.  Each interface can have a default LAN on which you can add layers of VLANs.  In the default Gateway mode, your UTM will be the network router, and through it, you can create, manage, and combine all the interfaces, LANs, or VLANs.  You can do a lot of other things too.  If you prefer to use your existing router as the network manager, you can set the UTM in a Bridge mode.

I moved from the Sophos SG UTM to the Sophos XG Firewall.  It was easy because they use the same appliances.  My XG Firewall is in a ZBOX CI325 Nano with 4GB RAM and a 32GB SSD connected to an Arris SurfBoard SB6190 cable modem to a on a 350Mbps cable connection.  The Zbox only has two ports WAN and LAN.  The only thing on the LAN is an Apple Time Machine in bridge mode.  This gives me two networks, the default LAN for my internal wired/wireless/backup network and Guest Wi-Fi on a separate VLAN.

Hi David and thanks for your response!

Well, I'm not an ordinary home user, I already have 2x 24 ports managed switches and 4 x 8 ports managed switches.

I currently run Sophos UTM on hardware where I can't get full speed on my 250/100 Mbps connection with IPS enabled.

The speed drops about 100Mbps to 150Mbps, this is because snort is single threaded and therefor I planned to beef upp
the cpu to a Core I7 (but run it in a virtualized environment). 

I'm already running a couple of vlans in my home and will continue to do this after the change to other hardware.

From my fiber connection I will connect ESXI on a dedicated network card that only the firewall will use and all other network will reside on
another network card, the lan side, in the virtualized firewall.

My concern is if ESXI will be a security issue because the firewall isn't the first physical box, but if ESXI doesn't listen on the interface where I plug internet in

maybe it is a secure solution?

Without wading into this too much, you will be fine on ESXi.

Think along the lines of Ip addressing and routable/non routable ip addresses.

The only entry from outside is via a router or UTM, not ESXi etc. If they compromise your UTM/router eg via poor configuration etc, effectively they could get on your internal protected resources at which time it doesn't matter whether it's virtual or not.

You will be fine with vlans or seperate nic's and virtulised. Heck, all my internet/internal traffic runs down the same port channel cable separated by vlans/ACL's. I don't use separate nic's for internet/lan etc.
Traffic coming from the internet on 8.x.x.x simply ain't going to cross over into 10.1.1.0/24 etc unless I allow it to. Now, if the UTM became compromised eg weak encrypted password for admin etc, then I may have an issue but that lies with the UTM, not the hypervisor, nic's etc

Been running like this since the dawn of ESXi 4. It's not a problem although I would advise that you do use proper seperation eg your vm's aren't on the same network as your hypervisor.

Use the usual stuff, eg strong encrypted passwords, UTM admin interface not accessible from internet, lockouts and all the functions the UTM offers etc and you will be fine.

Larger, corporate networks have their own issues eg attacks from within etc and as such need further levels of separation, resilience, monitoring etc
As mentioned, take a cost/risk based approach to it and for a SOHO, SMB, it's fine. Everybody values their data but there does come a time when the effort/cost may not be worth it.

Thank you for your involvement in this hot topic! :D

Of course I will separate utm admin on a separate vlan (my managing vlan) and never ever expose utm admin on the net side.

I have separated servers from clients as well as IOT-devices, they all have their own vlans and are routed in the UTM.
Servers can not access clients, some clients can access some servers and so on. :)

But right now the UTM is on a separate, pretty slow, box and will maybe move it to a virtualized one. Have not decided how to do yet.

I think that is what David was missing, that there is no underlying user OS like VirtualBox running under windows or linux with ESXi.  It is, and only is, the hypervisor.

On another note, though, do keep a watch on the KAISER issue with Intel CPUs.  The more I look at the code the more concerned I am getting about the possibility of vm escape.  I believe patches will be available for platforms like ESXi before public exploits are available, but if that comes to pass, be prepared to patch.  At this time, it appears that reading from ring3 (user space) to ring0 (privileged kernel space) may be possible in some scenarios.  Combined with other attacks, though could be dangerous.  NOT because you are running in a virtualized environment, though, but because of local privilege escalation.  In your case, they would need to compromise some VM on your hypervisor, then read privileged memory long enough to get meaningful information, then potentially use that information to escalate privileges (potentially up to the hypervisor).  Again, though, this is not a malware spreading issue or botnet, this is a hands on keyboard security issue that would require you to be specifically targeted and have other exploitable vulnerabilities exposed (which is kind of what a next gen UTM helps to protect).

For review:  hxxps://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ and other sites, shouldn't be too hard to find info.

The link you posted was very interesting! I have missed this issue during the weekends. Sounds VERY serious.

I have just ordered an AMD Ryzen 7, thank god for that ;)

But the UTM is running on a pretty old J1900 celeron and will probably be affected..?  Myabe it is better to switch to my Ubiquiti Edgerouter until this hole is fixed.?

I am not making any or even plan on making any changes in my environment at this time.  I would not hesitate to deploy due to the bug, only pointing out that a potentially serious issue is looming.  This is sort of similar to the heartbleed issue, but requires local system access and may be able to get more sensitive information from the system kernel itself.  Build away, IMHO.

Well, if it requires local access I'm not worried at all. No one that enteres my house has any kmowledge or interest to touch my servers anyway :)

I'm only worried about intruders from the net. I don't have any sensitive data, but still I don't want unwanted visitors in my lans.

widdde said:

Yes I understand both of you.

One question here: You are linking to virtualbox that runs on Windows or Mac, I am talking about VMWare ESXi that is a dedicated virtualization platform.. I would never run UTM in Virtual box in Windows.. That I see as a big security risk because all traffic will go through Windows first..

As said, I am talking about ESXi which also is free for personal use and the question regarded running UTM on Esxi.

Widde,

No worries.  I know you understand all of us.

I have all kinds of clients with all kinds of setups, so I must use all kinds of virtualization: bare-metal, OS-based, NAS/SAN-based, etc.  In my previous reply, I was simply giving an example of a really simple, cheap, effective option for deployment for a SG UTM or XG Firewall (other than using an old computer you already have laying around) as part of an overall basic solution that fits many use-cases in home and businesses.  The software listed after that setup were options on what one could use if they wanted to operate on free software.  As you are already aware, other free options exist.   Before that, I have been suggesting solutions for your VMWare ESXi setup.  The VMWare NSX I suggested earlier only works on VMWare.  

What many people don't realize is that the UTM/Firewall doesn't decrypt and scan HTTPS by default.  All your social media, email, text messaging, peer-to-peer, online banking, and many other sites are now encrypted.  In many cases, your VMs will have encrypted communication with the internet also.  All these avenues are ports into virtualization and devices.  This is how malware gets into and "escapes" from VMs and devices.  ESXi has some built-in security that will stop certain malware that corrupts key parts of VMWare virtualization, but it won't find or stop other kinds of malware.

Social media, email, P2P, and malicious sites are some of the most common avenues in which malware enter and infect networks and devices.   Many of these sites and services run on virtualization. Virtualization operates in most of the data centers and content delivery networks around the world.  These virtualized systems provide many of the sites and services we all use every day.  I find malware infected emails all the time in virtual Microsoft Exchange servers at both Azure and in on-premesis virtualization environments.  I find the same things in Gmail and G Suite.  When working with clients on their VDI, I find all kinds of infected downloads, infected emails, and URLs to malicious web sites hosted on virtual services at AWS, Google, RackSpace, Azure, etc.  When 

Clients communicate with virtualization and other devices through encryption.  Sure, it's all going through the virtual firewall/UTM, but the UTM/Firewall is NOT going to be able to scan any encrypted packet data coming in or going out - unless you work on on certificates and settings in order to allow HTTPS scanning to work for all your devices.  Most home owners and business administrators aren't going to take the time to do this.  The only thing the UTM/Firewall will do then is scan the header of encrypted packet and report or drop any coming from or going to a suspicious address.  but how many suspicious addressed do you have on your network?

UTMs and Firewalls don't scan computers or devices, nor can a UTM/Firewall remove malware from a computer or device.  You won't find any websites or services that remotely scan and clean malware from devices because the only way to reliable do it is on the device itself.  The most effective way to protect a computers or other device is to have anti-malware on it.  This is why I suggested Sophos Server Protection and VMWare NSX for your VMWare in an early reply.  If you haven't already, you may also want to consider adding Sophos Home to your computers and Sophos Mobile Security for your Android and iOS devices.  *before Darell freaks out again, know that the Sophos Mobile Security for iOS does not search nor remove malware from iOS devices, it merely ensures you are using the most current version of iOS.  Other features are included such as a QR Code scanner to protect your device from QR Code malware.

Im not discounting a virtualized UTM or Firewall.  It fits certain needs.  I know from experience that the virtual UTM/Firewall option is not going to protect your VMWare host and other network devices in the way Darell and others claim it will.  I've seen many cases where ransomware and other malware got into host servers and virtual networks with virtualized UTM/Firewalls and took down a large business or a celebrity estate by smartly taking control of the host/hypervisor and shutting down key ports/services or deployed a small amount of encryption in the right place.  If you or others feel a virtual UTM/Firewall setup fits your needs go ahead, have at it.  I can't stop you.

*There is no reason why one couldn't run a UTM/Firewall in VirtualBox, depending your needs and security considerations.   Most people running a UTM/Firewall in a VirtualBox, VMWare Fusion, or Parallels Desktop environment are doing it for a demonstration or a test.  I do it all the time to show people what products and services look like and how one might use it.

*Your server doesn't have to be touched in order for you to be hit.  One of your other computers or devices can be used to mess with your network.  If that computer or device has Wi-Fi capability and you have a close enough neighbor with a not-so-great Wi-Fi system, there's another way out.  Phones and cellular tablets are great for this type of "escape" because they are not moving around much, they are usually on both Wi-Fi and Cellular at the same time - and sometimes USB or Bluetooth too.  They can also carry a payload or stolen data to be released on another network at your work, friend/relative's location, or any other network you connect to.  This depends on the device you have, the security you have on them, and how you use them.

Nevermind.

widdde said:

The only thing im worried about is attacks from the outside, from the net. This because the hypervisor is physically connected to the net instead of the utm.

I want a really secure lan, thats why im asking and i can of course run a separate box for utm but as said, feels like a waste.. But the security is prio one (from the net, not from lan side) 

Widde,

From which source/route?  wired Cable/DSL/Fiber internet gateway? from a new device connected to your network? from a firmware upgrade via a usb/optical device from outside your network?  from connecting your wired computers/printers/IOT to your neighboring Wi-Fi?  from a smartphone/tablet connected to both your Wi-Fi and cellular? from someone neighboring printer/computer/IOT connected to your Wi-Fi?  There are so many ways your network can be connected to the the "outside".  In the case of bad Wi-Fi settings and desperate people wanting their internet fix, it can happen without you even knowing - connecting through their smartphone/tablet hotspot.  but for this situation, I am sure you mean through your wired gateway.

Yes, the physical NIC with the hypervisor/OS are what sees the traffic first, before it is handed off to the vSwitch and the UTM regardless of whether the traffic is coming from "inside" or "outside".  Now, as long as the data packets are just read and handed off and not opened by the NIC/Hypervisor, there is not a lot to worry about there.  That is what a UTM/Firewall (virtual and physical) is doing too - merely receiving, reading, and then sending or dropping/rejecting data, like to the functions of a switch.  In a virtual UTM/Firewall, the packets are forwarded through, just like in a physical UTM/Firewall, but in a physical firewall, there is no other software overhead or on another part of the device like in virtualization.    The UTM/Firewall can't scan itself, the other software, or the device it is on so, how do you protect that other software on the same device as the virtual UTM/Firewall?

Will your virtual UTM/Firewall keep your virtual server safe via filtering data coming in and going out?  Well, that depends on the settings of your UTM/Firewall and how you are routing your data flow.  One of the main settings to consider in your UTM/Firewall is Decrypt and Scan.  Most of your connections into and out of VMWare and other virtualization is encrypted.  More than 50% of your internet traffic from the "outside" will also be encrypted via TLS or some other encryption protocol going through multiple ports a well.  If you're not decrypting and scanning, then your UTM/Firewall isn't going to see nor stop a lot from entering, escaping, or affecting your VMs and network devices.

If a VM is infected, will it go directly from one VM to another?  Usually not.  Malware is more likely to cross-infect by other means.  It will most likely escape out of your virtualization through encryption, to one or more devices on the network, and then it will re-enter your VMWare again - depending on how many VMs are connected to those infected devices.  In the case of email and bad firmware, you can have several VMs and network devices infected at once directly from the "outside", and then the infection will be further carried out by users copying and sending it on to other locations.  In the case of file sharing, users will move the malware from one location to another via an encrypted service or another device.  Malware can also cross-infect through your storage devices, through a shared area or a database, and your virtual storage connections are not always going through your virtual UTM/Firewall.  If you're using one of your "inside" commuters to log into your hypervisor, now all the VMs can be affected - not just by malware injection but also by bad settings.   Your virtual UTM/Firewall will not be able to see nor stop any of this if it isn't set properly set or if your switching goes around it.  Installing anti-malware on your devices will help stop some of this once it reaches a "protected" device.

Must you route your VMWare traffic through your virtual UTM/Firewall? Must you decrypt and scan your communication?  Must you add other anti-malware products to your devices?  Must you do what I or anyone else is telling you to do?  It's up to you.  You have to decide what risks you want to accept or mitigate, but you must know the risks first (which is why you're here).  Most people are worried about what comes in.  Im more concerned with what goes out and how it can get out.  In truth, the only real safe device is one that is not operating and not connected to anything else, but what's the fun in that?

David,

In full respect of your knowledge and wisdom, I think this thread has moved upon it’s purpose, and is now more confusing as each answer raises hundreds of questions, I think Widde has something to work with now, and theese long ongoing responses is not helping further out.

Should we not call this a day ?

;)

David,

In full respect of your knowledge and wisdom, I think this thread has moved upon it’s purpose, and is now more confusing as each answer raises hundreds of questions, I think Widde has something to work with now, and theese long ongoing responses is not helping further out.

Should we not call this a day ?

;)