0

I currently use IPCop for our corporate firewall & VPN. I am looking to consolidate a number of servers, and am considering including the firewall server in the consolidation. I currently plan on using Server 2008 with Hyper-V for the virtualization. Has anyone out there tried virtualizing IPCop? Is there anything that I should be aware of? In particular, IPCop has somewhat limited hardware support for NICs - what hardware will the VM see for the network card?

Loren Charnley
  • 293
  • 2
  • 9

3 Answers3

4

Generally, I would advise against virtualising your firewall. It's another place for insecurity to happen. Web filter, VPN concentrator, yes - perimeter fw, no.

I would say, though, if you are going to do it, it will probably work. I work for SmoothWall (our GPL firewall was IPCop's grandaddy) and we have hyper-v some of our web filter products OK.

Last I looked, however, you were limited to one processor core under linux - so if high performance is required that may be an issue - though one core should be more than enough for a simple firewall job.

Tom Newton
  • 4,141
  • 2
  • 24
  • 28
  • Tom - thank you for the quick response. Could you add a little more detail regarding the types of security concerns I might see virtualizing the perimeter FW? Thanks! – Loren Charnley Jun 25 '09 at 19:41
  • +1 for Tom's comment. We actually went the OTHER direction and build our IPCop boxes on machines by themselves or even on custom "router boards" or "utility PCs". Its nice to have a single physical piece of hardware you can hold responsible. ;-) – KPWINC Jun 25 '09 at 21:18
  • Loren - specifically thinking vulnerabilities in the "host" OS could be exploited to route around your firewall control. – Tom Newton Jun 25 '09 at 21:38
  • Additionally you should consider the possibility of other hosts on the hyperV server negatively impacting performance or security. – Tom Newton Jun 25 '09 at 21:43
  • Worth noting that Microsoft are tempting linux into using 4 cores now. Be a while before distros like SmoothWall and IPCop get that in their kernels I guess though – Tom Newton Apr 16 '10 at 21:49
2

I have used several IPCop VMs on Hyper-V for the last year in production. They work generally OK for low-throughput use.

I have experienced the following issues:

  • You need to use the 'Legacy Network Adapter' and none of the 'Integration Services'.
  • Definitely switch off the integration service for sharing host time with the virtual machine, this can cause some confusing problems.
  • Throughput is pretty bad. I have IPCop running virtualised on Quad Core 3+Ghz Core 2 machines. The IPCop boxes are restricted to 1 virtual CPU, but processor usage is much higher than expected. Disabling Snort helps somewhat, and reduces memory usage dramatically. Nevertheless, I get around 20Mbps maximum throughput. I believe this issue may be to do with the use of legacy network adapters.
  • The IPCop firewall can hang up when exposed to a few hours of constantly high numbers of connections. I have not been able to diagnose the root cause of this problem. The web interface is still accessible, and the VM can be reset through this or the Hyper-V management interface to fix the problem (temporarily).

I've not found a better solution for a Hyper-V virtualised firewall. Endian Firewall seems to display an even more pronounced throughput restriction (as low as 5Mbps on the same hardware / VM setup as above). Suggestions for a better solution would be very welcome!

  • Using the "Legacy Network Adapter" is probably responsible for much fo the CPU usage. The whole point in using a VM-tailored networking stack instead of a device emulation is to reduce CPU use. – Jake Oshins Apr 16 '10 at 20:31
0

I strongly recommend the firewall box to not be shared with other systems.

That said, I do virtualize my firewall. 1 VM in 1 Physical Box using XenServer. My reason to do that: snapshot ability, and real quick restore (grab another box, install XenServer, import .xva)

pepoluan
  • 5,038
  • 4
  • 47
  • 72