balance101
Limp Gawd
- Joined
- Jan 31, 2008
- Messages
- 411
Is there any security risk from running pfsense as a VM even with vSwitch within ESXI?
thanks
thanks
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
pfsense as a VM on ESXI ?Risk?
- Thread starter balance101
- Start date
The pfSense developers protect forum.pfsense.org behind ESX virtualized pfsense. I'd imagine the rest oof the site too for that matter.
http://forum.pfsense.org/index.php?topic=45590.0
http://forum.pfsense.org/index.php?topic=45590.0
Is there any security risk from running pfsense as a VM even with vSwitch within ESXI?
thanks
The obvious is of course mis-configuration by the admin (you have a more complex solution compared to just having a physical box ONLY running pfsense).
Apart from added complexity you will also add more attackvectors against your solution. Not only whatever bug might exist in pfsense, but you will also need to take care of whatever bug exists in WMvare - not to mention that you will have some kind of remote management of WMvare itself which gives that if the attacker fails to gain root at pfsense perhaps the attacker can instead gain root of the WMware box itself (and by that reroute how the packets flows)?
Close to this is misbehaving from the virtual solution (yeah one could argue that VMware is proven to be somewhat secure but still there are security announcements and patches released every month/quarter of a year).
Only recently a hardware related bug to virtualization showed up regarding intels sysret (and this is when many people would assume something like this would never happen):
http://www.kb.cert.org/vuls/id/649219
Luckily WMvare wasnt affected by this one but as you can see in the list above roughly 2/3 of the vendors were affected so WMvare is perhaps not as lucky next time.
Another issue to take into account is the performance. If your uplink is like 10Mbit/s then you cant sqeeze in more packets than roughly 40kpps (smallest possible packet in full duplex = 10000000 / 512 * 2) which WMvare should be able to handle without a problem. But with 100Mbit/s we talk about up to 400kpps and then you will/might hit the roof of what the virtualization can bring you in IOPS.
Which gives that the reliability (and performance) will most likely be higher (in terms of for example withstanding a DoS/DDoS) with dedicated hardware compared to running pfsense in an virtualized environment.
Last edited: