Firewall at Hypervisor Level

tcabernoch

Active Member
Apr 27, 2024
238
47
28
Portland, OR
www.gnetsys.net
I just attended a VMUG where they brought in a heavy hitter that quite effectively made the case for their new product VMware vDefend Distributed Firewall (formerly known as VMware NSX Distributed Firewall). The primary focus of my job is getting us off of VMware, so I don't care about his product. If its not free, its a non-starter.

He did impress upon me the unique vantage point of the hypervisor as a place to interdict the spread of ransomware. With 80% of your enterprise virtualized, the hypervisor sees all. It's surveillance and interdiction capability cannot be circumvented like an agent. My NetAdmin however, is unimpressed.

So here's my question(s).
  • What does the PVE firewall bring to the table that you can't get via your physical network stack?
  • I see it does Suricata. That's cool. How's that working out for folks?
  • Is there anything else wonderful about the PVE firewall? Or maybe is it a POS that I should stay away from?
 
What does the PVE firewall bring to the table that you can't get via your physical network stack?
It is aware of the guests and how your virtual network is setup, so you can very easily define specific rules for guests without having to hardcode IPs in external firewalls. Traffic that is going from one VM to another on the same bridge and host will never hit your physical network stack since it will just cross the virtual bridge, so a hypervisor firewall is the only way of firewalling that traffic (unless you do stuff like hairpinning traffic through an external firewall appliance).

We are also working on SDN integration and defining rules on a VNet level, so you can do fine-grained segmenting of your networks on the hypervisor layer.

I cannot really say anything about the Suricata integration, sorry.
 
Thank you. I do appreciate your reply.

Your point about traffic between VMs on the same host is clear and well founded. Ok, so that could only be firewalled on the virtual network at the hypervisor level. This is the unique value-add of the hypervisor firewall.

Ok, so SDN support is lacking at the moment? That's not a show-stopper for me.

My curiosity about Suricata is ... well if I (personally) was going to manage a firewall, I'd want to run an IDS, at very least in observation mode. I've had terrible times with Suricata, myself. It's not the easiest tool to use.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!