This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Using a VM100 at the perimeter
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: Using a VM100 at the perimeter
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Using a VM100 at the perimeter
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-21-2015 01:10 PM
Hi,
We are looking at deploying a VM-100 at the perimeter of our network. We currently have a PA-500 doing that job. It is incredibly slow on the management side of things and quite frankly, expensive when it comes to support renewals. Hence the thought of going to a VM-100. Our supplier has told us that Palo Alto does not recommend a Virtual Firewall (hosted on VMWARE) at the perimeter however I can't find, any documentation to support this.
Can anyone point me at the documentation supports the statement that PA don't recommend this deployment model? Or can someone at PA confirm this?
Thanks in advance.
Labels:
- Labels:
-
Management
-
Set Up
16 REPLIES 16
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-27-2015 08:24 PM
I am curious how a hypervisor can be compromised in a situation like this? Basically your are exposing a virtual port on a virtual switch which is effectively the same as a physical switch. The port is fully controlled by the VM itself which handles all of the traffic. I can't fathom how this is more dangerous than a physical link to a physical Palo Alto. Please feel free to correct me and/or explain.
I am in a similar boat, where the PA-500 may not be able to handle the expansion of our pip to 200 Mbps with all of the options enabled and I am up for renewal. We routinely hit and exceed 100 Mbps on our PA-500. I have a spare server with multiple NICs and dual power supplies. Throw in a couple SSDs in a raid and I am fully redundant.
Thanks,
Bob
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-28-2015 03:48 AM
You can check on VMware's site for the lists of specific vulnerabilities and their hardening recommendations. The hypervisor software is subject to the same types of exploits that can hit other linux based systems and specific ones based on the hypervisor software. The risks are generally low in known issues but of course there is the unknown. The code base for VMware was stolen and publicly posted back in 2012 so there have been a raft of exploits discovered since then.
The bigger risk than a switch and appliance is that IF you can compromise the hypervisor you now have access to all of the guest VMs behind the firewall on that same hypervisor.
Based on the what is currently known, I think a properly hardened VM host would be low risk for a small or branch office deploy. But you do need to be sure it is a hardened deploy and all due caution is observed. Others will disagree citing that the risk of giving an attack surface of the hypervisor to the public internet would be too high because the consequences of the breach are so high.
Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-28-2015 08:29 AM
Steven,
Thanks for replying, but I am still confused how running it on ESXi makes it less secure. Assuming it was setup correctly (no ability to manage it from the outside), the exposed side of the firewall will appear as any other firewall to an outsider. Any ESXi exploits are not valid as you are not exposing ESXi, only the appliance. I just don't get it....
Publish servers through it, as far as anyone knows they just went through a physical firewall. If you are in a position where someone gets in and can pivot around you have a lot more trouble than a virtual firewall.
Thanks for your patience,
Bob
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-28-2015 09:15 AM
BobW wrote:
Steven,
Thanks for replying, but I am still confused how running it on ESXi makes it less secure. Assuming it was setup correctly (no ability to manage it from the outside), the exposed side of the firewall will appear as any other firewall to an outsider. Any ESXi exploits are not valid as you are not exposing ESXi, only the appliance. I just don't get it....
Publish servers through it, as far as anyone knows they just went through a physical firewall. If you are in a position where someone gets in and can pivot around you have a lot more trouble than a virtual firewall.
Thanks for your patience,
Bob
Bob I'm 99% with you, but I must admit there's part of me that, however irrational, I'm not entirely convinced I'd be comfortable with it.
That said, we run SMTP gateways and VM's on a DMZ virtual switch so I don't really see how this is any different.
There's a heck of a lot of "what if's" needed for something bad to happen I think.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-28-2015 12:17 PM
Hi folks,
I am glad this has stimulated some discussion. I must admit that i tend towards same opinion as Bob. I am having issue with what the real technical reason as to why I shouldn't do this. I would appreciate someone form Palo Alto commenting, though maybe they don't read these forums.
It seems that Juniper openly support Virtual Appliances at the perimeter with there Firefly product, Firefly Perimeter – Juniper Networks
Help me out here PA, i need some concrete support for this as a solution.
Perhaps I should be posting this to VMware as well to see if they have any comments.
Thanks for commenting people. It is much appreciated.
Related Content
- Vulnerability Protection Profile action drop, but still forwards packets in Next-Generation Firewall Discussions
- PA Migration from 3050 to 5220 Appliances in General Topics
- Enable Device Telemetry with error message : Send File to CDL Receiver Failed in General Topics
- This is a customer inquiry using the vm-100 firewall. in VM-Series in the Public Cloud
- Master User-id device receives non-functioning configuration for userID Group Include list from Panorama in Panorama Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks