[pfSense Support] Re: Firewall security compromised by auxillary programs?

[Dave Warren]

In message
AANLkTi=htn0sn-dcyqkopye6hq02bge+q-8gxnhi3...@mail.gmail.com Kurt Buff
kurt.b...@gmail.com was claimed to have
wrote:

On Fri, Feb 4, 2011 at 20:21, Joseph L. Casale
jcas...@activenetwerx.com wrote:
Well, I hear of people running pfSense in a VM, and I wonder how do you
avoid exposing the host OS to the network?  How can a firewall be run in a
VM and not leave the host OS hanging out to be attacked?

 Well, if the interface is setup in a bridge with nothing else, what exactly 
 is
 addressable that you can connect to and then hack? Now add a vm and plug
 a nic into this bridge and put pfsenses wan designation on it. When you show
 me one case of the host being compromised I'll believe it, until then it's 
 not
 been done as far as I know...

If the OS is a VM, then you might want to understand Blue Pill:

http://en.wikipedia.org/wiki/Blue_Pill_%28malware%29

And, I believe, it's just the beginning of the threats for virtual 
environments.

A Blue Pill attack is effective against actual hardware, lifting the
running OS into a Hypervisor without the OS or user being aware.  

However, this type of attack wouldn't need you to be in a virtual
environment.  In fact, it might be more effective on real hardware than
within a VM environment since AMD-V and VT-x functionality itself isn't
available within a guest environment.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall security compromised by auxillary programs?

[Pandu Poluan]

On Sat, Feb 5, 2011 at 02:54, Mark Jones mjo...@imagehawk.com wrote:
 Well, I hear of people running pfSense in a VM, and I wonder how do you avoid 
 exposing the host OS to the network?  How can a firewall be run in a VM and 
 not leave the host OS hanging out to be attacked?  Or, go the otherway and 
 put the VM in the FreeBSD used by pfSense since there is plenty of excess CPU 
 and memory to do the trick.  Only getting vmware to run on pfSense FreeBSD 
 might be difficult (I haven't actually tried it) given the very few pieces of 
 FreeBSD that are present in a pfSense environment.


It actually depends on the hypervisor being used. Most hypervisors
allow limiting access to a physical NIC you choose. In addition, many
hypervisors also have firewalls. Finally, hypervisor controllers
(e.g., VMware's vCenter or XenServer's XenCenter) needs a password to
access the hypervisor. Use a strong password here to prevent
brute-force attacks.

 Yes, I agree that having a jabber server on the firewall is less secure than 
 not having a jabber server, but I question it being less secure than having 
 it on my internal server.  If it is on the pfSense box and becomes 
 compromised, the hacker will need pfSense skills to get any further, then 
 they will need an additional set of skills to get at my primary servers.  If 
 I open the ports that the jabber server uses, then they have access to my 
 primary servers via the jabber server software because the firewall is 
 permitting connections into and out of the network on those ports.


If the jabber server has a severe security hole/vulnerability like
remote code execution, they don't need pfSense skills. They would be
able to get down to the FreeBSD OS itself.

 Admittedly running log digesting software increases the attack surface if 
 those program actually use networking services, but if they are 
 self-contained, the attack surface doesn't change.  Adding a website (like 
 say the pfSense PHP website interface) increases my exposure as well, but yet 
 we do it to facilitate easy configuration.


An app does not need to use networking service to be a security
problem. If the app is unstable, it might cause unexpected problems
with other processes in memory.

 If this analysis is wrong, please someone point out where it is wrong.  This 
 assumes that the jabber server only opens the ports for XMPP and nothing 
 else, no management ports etc.




--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] 2.0 Openvpn questions

[Joseph L. Casale]

How comes the openvpn configuration forces a client-cert-not-required when
using an LDAP auth backend in 2.0b5x64 (Sat Feb 5 snap)? I don't believe that's
a mandatory limitation, we use certs _and_ secondary auth via ldap.

jlc

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org