Using a VM100 at the perimeter

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Using a VM100 at the perimeter

Hi,

We are looking at deploying a VM-100 at the perimeter of our network. We currently have a PA-500 doing that job.  It is incredibly slow on the management side of things and quite frankly, expensive when it comes to support renewals.  Hence the thought of going to a VM-100.  Our supplier has told us that Palo Alto does not recommend a Virtual Firewall (hosted on VMWARE) at the perimeter however I can't find, any documentation to support this. 

Can anyone point me at the documentation supports the statement that PA don't recommend this deployment model?  Or can someone at PA confirm this?

Thanks in advance.

Highlighted
L6 Presenter

Hi HDC...The VM-100 can be installed on several VMware products (VM workstation, VM Fusion, VM Player) and the VM platform themselves are not designed to be a firewall at the perimeter.  There is a degree of risk when exposing the VM platform to an untrusted segment (the Internet).  You should consult with VMware on how to harden the VM platform if it is even possible.

As for the slow response on the mgmt of the PA-500, may I recommend that you consider upgrading its memory:  PA-500 Management Memory Upgrade Procedure.  Thanks.

Highlighted
L3 Networker

Hello i agree with rmovan in that the VM is not great to be put in a the perimeter since you now have exposed your hypervisor to the internet. I know there are VMWare hardening docs, but I think you are asking for trouble since if the hypervisor gets compromised, the firewall is useless. Stay with physical at the perimeter.

Highlighted
L4 Transporter

If you wouldn't trust it enough to secure traffic at the perimeter, why would you trust it enough to secure your internal traffic?

Genuine question - like many people I'm wary of putting VMware at the very edge of the network but given the "on paper" specifications of the VM100 you could buy a dedicated host if you wanted to and it would still seem to give a 2000 or entry 3000 series a run for its money.

Palo Alto SE's say it's intended for east-west inspection but nobody really ever explains why it shouldn't be suitable to use at the perimeter especially when you can do HA using VMware vs. having to buy a pair of appliances.

Highlighted
Not applicable

We have isolated vmware boxes in our DMZ.  They are hardened and management isn't accessible from the internet.  I can't speak to the performance, but the arguments regarding security concerns ring hollow for me.

If you end up pursuing this, please come back and share your results.

Highlighted
L4 Transporter

I am curious how a hypervisor can be compromised in a situation like this?  Basically your are exposing a virtual port on a virtual switch which is effectively the same as a physical switch.  The port is fully controlled by the VM itself which handles all of the traffic.  I can't fathom how this is more dangerous than a physical link to a physical Palo Alto.  Please feel free to correct me and/or explain.

I am in a similar boat, where the PA-500 may not be able to handle the expansion of our pip to 200 Mbps with all of the options enabled and I am up for renewal.    We routinely hit and exceed 100 Mbps on our PA-500.  I have a spare server with multiple NICs and dual power supplies.  Throw in a couple SSDs in a raid and I am fully redundant.

Thanks,

Bob

Highlighted
L7 Applicator

You can check on VMware's site for the lists of specific vulnerabilities and their hardening recommendations.  The hypervisor software is subject to the same types of exploits that can hit other linux based systems and specific ones based on the hypervisor software.  The risks are generally low in known issues but of course there is the unknown.  The code base for VMware was stolen and publicly posted back in 2012 so there have been a raft of exploits discovered since then.

The bigger risk than a switch and appliance is that IF you can compromise the hypervisor you now have access to all of the guest VMs behind the firewall on that same hypervisor.

Based on the what is currently known, I think a properly hardened VM host would be low risk for a small or branch office deploy.  But you do need to be sure it is a hardened deploy and all due caution is observed.  Others will disagree citing that the risk of giving an attack surface of the hypervisor to the public internet would be too high because the consequences of the breach are so high.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L4 Transporter

Steven,

Thanks for replying, but I am still confused how running it on ESXi makes it less secure.  Assuming it was setup correctly (no ability to manage it from the outside), the exposed side of the firewall will appear as any other firewall to an outsider.  Any ESXi exploits are not valid as you are not exposing ESXi, only the appliance.  I just don't get it....

Publish servers through it, as far as anyone knows they just went through a physical firewall.  If you are in a position where someone gets in and can pivot around you have a lot more trouble than a virtual firewall.

Thanks for your patience,

Bob

Highlighted
L4 Transporter

BobW wrote:

Steven,

Thanks for replying, but I am still confused how running it on ESXi makes it less secure.  Assuming it was setup correctly (no ability to manage it from the outside), the exposed side of the firewall will appear as any other firewall to an outsider.  Any ESXi exploits are not valid as you are not exposing ESXi, only the appliance.  I just don't get it....

Publish servers through it, as far as anyone knows they just went through a physical firewall.  If you are in a position where someone gets in and can pivot around you have a lot more trouble than a virtual firewall.

Thanks for your patience,

Bob

Bob I'm 99% with you, but I must admit there's part of me that, however irrational, I'm not entirely convinced I'd be comfortable with it.

That said, we run SMTP gateways and VM's on a DMZ virtual switch so I don't really see how this is any different.

There's a heck of a lot of "what if's" needed for something bad to happen I think.

Highlighted
L1 Bithead

Hi folks,

I am glad this has stimulated some discussion.  I must admit that i tend towards same opinion as Bob.  I am having issue with what the real technical reason as to why I shouldn't do this.  I would appreciate someone form Palo Alto commenting, though maybe they don't read these forums.

It seems that Juniper openly support Virtual Appliances at the perimeter with there Firefly product, Firefly Perimeter – Juniper Networks

Help me out here PA, i need some concrete support for this as a solution.

Perhaps I should be posting this to VMware as well to see if they have any comments.

Thanks for commenting people.  It is much appreciated.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!