<div dir="ltr"><div class="im" style="font-family:arial,sans-serif;font-size:13px">On Fri, May 31, 2013 at 5:11 PM, Edward Ned Harvey (bblisa4) <span dir="ltr"><<a href="mailto:bblisa4@nedharvey.com" target="_blank">bblisa4@nedharvey.com</a>></span> wrote:<br>
</div><div class="gmail_extra" style="font-family:arial,sans-serif;font-size:13px"><div class="gmail_quote"><div class="im"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>Be aware, that for a security device, you're not supposed to run it as a VM, just because you might be vulnerable to hypervisor attacks and so forth. But as long as you take that into consideration - I do it myself.<br>
<br></blockquote><div style>(Sorry, Ned, meant to reply on-list, but just replied to you.)</div><div style><br></div></div><div> That's not a very compelling argument. I've been at firms that deployed VM-based security devices and passed audits. Plenty of vendors have OVA/OVF versions of their appliances. You have to secure your hypervisor layer, just like you have to secure the physical environment for physical hardware devices. </div>
<div><br></div><div style>Aaron - not knowing your budget, it's tough to make recommendations. At my last place, we used these : <a href="http://www.juniper.net/us/en/products-services/security/vgw-series/">http://www.juniper.net/us/en/products-services/security/vgw-series/</a></div>
<div style>But that's just a firewall, AFAIK - it doesn't also handle remote access/VPN. </div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, May 31, 2013 at 5:11 PM, Edward Ned Harvey (bblisa4) <span dir="ltr"><<a href="mailto:bblisa4@nedharvey.com" target="_blank">bblisa4@nedharvey.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">> From: <a href="mailto:bblisa-bounces@bblisa.org">bblisa-bounces@bblisa.org</a> [mailto:<a href="mailto:bblisa-bounces@bblisa.org">bblisa-bounces@bblisa.org</a>] On<br>
> Behalf Of Aaron Macks<br>
><br>
> I'm going to be setting up a small stand-alone virtual environment soon.<br>
> My instinct is to make a VM based on iptables and ipmasq to act as a<br>
> gateway/firewall for the rest of the VMs, but it occurs to me that there<br>
> may now be better virtual firewalls out there. Note that it doesn't<br>
> have to be a virtual appliance that just gets uploaded and booted,<br>
> something installable is fine, but I want something more specialized<br>
> then plain Linux. Does anyone have any suggestions?<br>
<br>
Be aware, that for a security device, you're not supposed to run it as a VM, just because you might be vulnerable to hypervisor attacks and so forth. But as long as you take that into consideration - I do it myself.<br>
<br>
I recommend and use pfSense. (There are others out there, such as monowall, which I think pfsense is based on, but I prefer pfsense over monowall.)<br>
<br>
<br>
> Required features: VPN (IPSEC ideally, SSL-based acceptable, PPTP not<br>
> acceptable), port forwarding, NAT, other normal firewall stuff<br>
<br>
For site-to-site, the IPSec is present, and ideal. For mobile connectivity, IPsec can be used ... but it's not ideal due to complexity of configuring clients, and difficulty finding good clients. For mobile connectivity, I would say look at openvpn instead (or in addition to) the ipsec mobilevpn solution. It's SSL based. In the pfsense, you can install the openvpn plugin (I forget what it's called exactly, but if you just look under the installable modules page, you should find it easily.) Then with a few clicks on the web interface, you create your CA, you create some users, create certs for those users, and download the per-user config files and cert files needed by the openvpn client or tunnelblick.<br>
<br>
<br>
_______________________________________________<br>
bblisa mailing list<br>
<a href="mailto:bblisa@bblisa.org">bblisa@bblisa.org</a><br>
<a href="http://www.bblisa.org/mailman/listinfo/bblisa" target="_blank">http://www.bblisa.org/mailman/listinfo/bblisa</a><br>
</blockquote></div><br></div>