Virtual Firewall

[lifeflaw]

This is my first post here. Nice to meet you all.

I am working lately on configuring a virtual machine with a hardened OS to function as a firewall (and possibly content filtering proxy and/or IDS). The aim is to create a security virtual appliance that can be used by and can protect the average user; the aim is to create a free or non-expensive product that offers a security comparable to hardware appliances.

From the technical point of view, the virtual machine will have 2 virtual NICs. The first one will be configured as “host only” and can be accessed only by the host computer. The other virtual NIC will be bridged and can access the public network. The host computer will have the “host only” NIC of the virtual machine as its default gateway. Any traffic going from or to the host computer should pass through this security virtual machine.

From the network packets point of view, it is like this

[host computer] --- [security virtual machine]--- Public Network

The idea is to provide a protection level higher than that offered by Windows firewall, or any installed firewall. I want a protection level similar to that offered by SoHo hardware firewall appliances such as the Cisco ASA 5500. Yet I am still not sure about the security level because the virtual machine would be running on a potentially insecure host OS. Moreover, I am still investigating the security advantage of such a virtual appliance over an installed firewall.

So my question is, do you think this is a sound approach to protect a desktop OS (such as MS Windows)? Your comments and suggestions are highly appreciated. :)

Note: After searching on the net, I found out that there was a paper about this approach published in USENIX, more information can be found in the link below,

http://www.cs.drexel.edu/~vp/VirtualFirewall/index.html

However, it doesn’t fully tackle the questions that I have in mind.

Peace.

[rlocone]

Only thing I can think of is Untangle. I've played around with it many moons ago.

http://www.untangle.com

Hope this helps.

[macrohard]

I've currently use Untangle now in my home network, to keep the facehuggers from going to any "naughty" sites.

Untangle also does a product specifically for Windows, in which you can download Untangle and install it on a Windows XP or Vista box, and from there protect all the Windows boxes in your LAN.

Untangle Re-Router technology

It is a good question in regard to running a firewall appliance as a virtual machine, especially when considering how secure the host is, or any other virtual machines you might be running on a host that a virtual firewall appliance runs on. One of the things I'm looking at at work is security of our virtual network.

I personally however prefer the firewall/UTM device to be guarding the perimeter and separate. Then working to secure the inside of the LAN network.

[lifeflaw]

Thank you for suggesting “Untangle” I am checking it out.

I couldn’t find detailed technical explanation on their website; thanks for your explanation. To better understand it, I should install the free version and try it out.

It is a good question in regard to running a firewall appliance as a virtual machine, especially when considering how secure the host is, or any other virtual machines you might be running on a host that a virtual firewall appliance runs on. One of the things I'm looking at at work is security of our virtual network.

I personally however prefer the firewall/UTM device to be guarding the perimeter and separate. Then working to secure the inside of the LAN network.

If you are protecting a virtual network/servers running on one of those slick hypervisors, then using a security virtual appliance (VA) is a very valid choice. Of course, I also understand your preference to use a firewall/UTM hardware appliance (if I understood correctly). Yet, it is important to note that the security of a hypervisor, VMware ESX for example, far surpasses that of desktop OS running virtualization software. The security of a small footprint hardened hypervisor is way higher and hence the security I can expect from running a security VA on a hypervisor is way beyond what I can expect from running s security VA on an (insecure) OS. Maybe I should investigate the official procedures to certify a security product/design and work my way from there.