[pfSense Support] Re: Firewall security compromised by auxillary programs?

[Dave Warren]

In message
 Kurt Buff
 was claimed to have
wrote:

>On Fri, Feb 4, 2011 at 20:21, Joseph L. Casale
> wrote:
>>>Well, I hear of people running pfSense in a VM, and I wonder how do you
>>>avoid exposing the host OS to the network?  How can a firewall be run in a
>>>VM and not leave the host OS hanging out to be attacked?
>>
>> Well, if the interface is setup in a bridge with nothing else, what exactly 
>> is
>> addressable that you can connect to and then hack? Now add a vm and plug
>> a nic into this bridge and put pfsenses wan designation on it. When you show
>> me one case of the host being compromised I'll believe it, until then it's 
>> not
>> been done as far as I know...
>
>If the OS is a VM, then you might want to understand Blue Pill:
>
>http://en.wikipedia.org/wiki/Blue_Pill_%28malware%29
>
>And, I believe, it's just the beginning of the threats for virtual 
>environments.

A Blue Pill attack is effective against actual hardware, lifting the
running OS into a Hypervisor without the OS or user being aware.  

However, this type of attack wouldn't need you to be in a virtual
environment.  In fact, it might be more effective on real hardware than
within a VM environment since AMD-V and VT-x functionality itself isn't
available within a guest environment.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall security compromised by auxillary programs?

[Pandu Poluan]

On Sat, Feb 5, 2011 at 02:54, Mark Jones  wrote:
> Well, I hear of people running pfSense in a VM, and I wonder how do you avoid 
> exposing the host OS to the network?  How can a firewall be run in a VM and 
> not leave the host OS hanging out to be attacked?  Or, go the otherway and 
> put the VM in the FreeBSD used by pfSense since there is plenty of excess CPU 
> and memory to do the trick.  Only getting vmware to run on pfSense FreeBSD 
> might be difficult (I haven't actually tried it) given the very few pieces of 
> FreeBSD that are present in a pfSense environment.
>

It actually depends on the hypervisor being used. Most hypervisors
allow limiting access to a physical NIC you choose. In addition, many
hypervisors also have firewalls. Finally, hypervisor controllers
(e.g., VMware's vCenter or XenServer's XenCenter) needs a password to
access the hypervisor. Use a strong password here to prevent
brute-force attacks.

> Yes, I agree that having a jabber server on the firewall is less secure than 
> not having a jabber server, but I question it being less secure than having 
> it on my internal server.  If it is on the pfSense box and becomes 
> compromised, the hacker will need pfSense skills to get any further, then 
> they will need an additional set of skills to get at my primary servers.  If 
> I open the ports that the jabber server uses, then they have access to my 
> primary servers via the jabber server software because the firewall is 
> permitting connections into and out of the network on those ports.
>

If the jabber server has a severe security hole/vulnerability like
remote code execution, they don't need pfSense skills. They would be
able to get down to the FreeBSD OS itself.

> Admittedly running log digesting software increases the attack surface if 
> those program actually use networking services, but if they are 
> self-contained, the attack surface doesn't change.  Adding a website (like 
> say the pfSense PHP website interface) increases my exposure as well, but yet 
> we do it to facilitate easy configuration.
>

An app does not need to use networking service to be a security
problem. If the app is unstable, it might cause unexpected problems
with other processes in memory.

> If this analysis is wrong, please someone point out where it is wrong.  This 
> assumes that the jabber server only opens the ports for XMPP and nothing 
> else, no management ports etc.
>
>


--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] 2.0 Openvpn questions

[Joseph L. Casale]

How comes the openvpn configuration forces a "client-cert-not-required" when
using an LDAP auth backend in 2.0b5x64 (Sat Feb 5 snap)? I don't believe that's
a mandatory limitation, we use certs _and_ secondary auth via ldap.

jlc

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org