Virtualizing your Linux Firewall

From WBITT's Cooker!

Revision as of 18:44, 8 March 2011 by Kamran (Talk | contribs)
Jump to: navigation, search

This paper discusses the concept of running your Linux Firewall as a Virtual Machine.

Contents

Introduction

In today's IT world, almost all IT managers know what exactly it means for the business, when a firewall is down. When this alarm is raised, it is just like the fire alarm. All of a sudden there is immense panic, there are question marks on everyone's face, productivity is halted, and people rush to see, who reaches to the coffee machine first; except the IT staff. To the IT staff, it seems like hell has broken loose. The managers of all level, almost all at once, start yelling at the IT staff, to get the network back up as soon as possible. It is quite a scene!

For people using hardware based firewalls, like Cisco PIX, Juniper NetScreen, or SonicWall, etc, this can actually mean a lot of downtime. Especially in cases when the firewall device has actually got burnt because of some power failure. They would have to wait for a replacement unit to arrive. In case the firewall was cracked, by a cracker, it would again mean a lot of downtime, as the firewall device has to be re-configured, probably from a clean backup, if it all, there was any.

Normally there is only one such device in an environment, because they are pretty expensive. And, as noted above, a burnt device, or any component of it, such as a WAN port, can seriously cripple your business to a complete halt.

Many people consider Cisco PIX as the Holy Grail of firewalls. Same is the general point of view about other hardware-based/proprietary firewalls, such as Juniper NetScreen, SonicWall, CheckPoint, NetGear, etc. There is nothing much you can do "different", with the so-called hardware/proprietary firewalls, compared to what you can do with Linux based firewalls. One of the popular strategy used by the sales people of prominent firewall vendors is to create Fear, Uncertainty and Doubts,(FUD), in the minds of the possible customers, about low cost Linux firewalls. When they are successful in doing that, the sales people move to the next step, and convince their customers to purchase the ultra expensive firewall. The interesting point is, that even the IT managers also do not resist in such purchases, because they "feel secure" by merely buying a branded product, and don't want to take any risk by saying "No". After the product is acquired, it is placed on the network, without a well thought out configuration. In a hurry to brag "I have configured the brand X firewall and placed it in production in 30 minutes", the IT staff, constantly under the influence of the brand X name/reputation, puts something on the network, which was, (a) not well configured, (b) no-body well understood it (c) outrageously expensive, and (d) was not required in the first place. Most of the time it ends up like buying a rocket launcher to kill a fly, where merely a fly swatter was required in the first place.

In this paper we would discuss the possibility of using Linux based firewalls, running as virtual machines, on a XEN or KVM host. We would also show, how this can be achieved.

Linux as a firewall

Fundamentally, any hardware-based firewall is a collection of hardware and software components. A hardened Linux box, with enough resources, used "solely" in a firewall role, can confidently be termed as a hardware firewall; and it can compete with any branded firewall you can throw against it. Besides, it is the configuration, which makes a firewall strong; not it's brand.

It would be interesting for many to know that Cisco PIX uses processors like Intel Celeron, Intel PIII, and AMD's Am5x86; with Intel 440BX and AMD's SC520 chip-sets; with RAM range between 16 MB to 1 GB. [Reference: http://en.wikipedia.org/wiki/Cisco_PIX#Description_of_hardware].

A modern day PC is much more powerful than what is described above. A cut down version / minimal install of Linux OS on a commodity off the self PC, can essentially turn it into a firewall, more powerful than the Cisco PIX. A Linux based hardware firewall can offer almost all services which any other type of firewall can offer. It is just the matter of adding the right modules and software pieces to it. For example, a basic Packet Filtering Linux firewall can work as a Stateful Firewall, merely by adding a connection tracking kernel module, and some configuration. The following non-exhaustive list provides an insight into what all can be accomplished by using totally free OS and it's tools; Linux.

  • Packet Filtering: IPTables
  • NAT: NAT module in IPTables
  • Stateful Filtering: Connection Tracking module in IPTables
  • Web Proxy/Caching Service: Squid, etc.
  • Web Content Filtering: SquidGuard, DansGuardian, etc.
  • VPN: OpenVPN, OpenSWAN, etc.
  • Intrusion Detection Systems: Snort, etc.
  • Network Monitoring and Alerting: MRTG, MON, Nagios, ganglia, etc.
  • An SMTP relay: Sendmail, Postfix, etc.
  • .... and more.

You can have one "thick" Linux firewall, by having all of the services on one physical machine. However, the purpose of this paper is to explain, how compartmentalized security model can be implemented, by running most of the services listed above as separate "thin" virtual machines, on a single physical server. And for the sake of ensuring business continuity, a copy of all VMs can be kept on a second (in-expensive) physical machine. In case of hardware failure, the firewall and it's related components can be run from this second machine, without significant downtime.

From this point onwards, we will not discriminate Linux based firewalls against prominent hardware-based branded firewall devices.

The Virtual Firewall

As we noted above, instead of running one "thick" physical machine as firewall, we can run multiple thin "virtual" machines. Below are few of advantages and disadvantages of running your firewall in virtual world.

Advantages

  • Compartmentalized Security: Firewall can run as a separate VM. Cache Server can run as a separate VM, etc. If a cracker gains access to the cache server, that is the only VM affected. Your main firewall will still continue to handle traffic.
  • No single point of failure: If the cache server's disk is full, with logs, etc, it will be the only VM, which will not respond. Main firewall VM will keep functioning.
  • Service/VM Load Balancing: If cache server/content filtering is taking too much resources, that VM can be moved to another physical machine on the network.
  • COTS/in-expensive hardware: This results in ability to have multiple physical machines in stock. In case a hardware failure occurs, the second physical machine can be quickly setup to run VMs and the services they offer.

Disadvantages

  • Extra complexity: Virtualization introduces extra level of complexity in the network. The administrator has not only to take care of the physical machine and it's network connections, for example; he also has to take care of the VMs, the virtual networks inside the machine, and a keep an eye on the resource utilization.

Designing a Virtual Firewall System

Scenario

While designing a Virtual Firewall System, and it's components, you should first make a list of tasks it will be performing for your network. In this document, we have as assumption, that you are placing such a firewall between Internet and your LAN users, to protect them from each other. Internet is reachable through a DSL router, which has a public IP. The LAN interface of this DSL router is connected to a switch, to which all of your users are connected to. The DSL router, is providing DHCP, DNS and NAT services to your users. We will also assume that the DSL Router has a built-in firewall, which no-one has bothered to configure for your setup, or has very limited firewall features. The users need to be protected (from the Internet), and also provided with some basic services, such as a cache server. The Internet needs to be protected from the LAN users, such as, any virus infected PC should not send floods of emails/spam through your DSL router, towards the internet. Thus a need to place a Linux firewall in between. Here is what a non-virtualized "thick" solution looks like:

Figure 1: A typical set up. Physical firewall machine placed between Internet and LAN

References

Personal tools