Securtiy comparing/setting VM or Bare metal

Mar 19, 2018
25
1
8
32
Hi at all,

i want (maybe) setup an firewall/gateway on proxmox.

I need to knwo if it is good or not to virtualize this kind of machine?
Or it must be installed out of security reason on bare metal?
I have read through the internet, but i did not get an clear point if it is possible to set it up safe.

My idea to do that is as following.

Nic with 4 Ports on Host.

internet -> Router -> nicPort1 -> Linux bridge1 -> (Gateway) -> LinuxBridge2 -> nicPort2 -> switch -> internal network

On the Host in the network configuration exists no settings for the nicport directly. Only the setting for the bridge.
On this nicport is only one bridge running. nothing else.
Is this safe or an wrong way?
Is there regarding security reason a difference if i would set it up with pci passthrough or linux bridge?
See follow my setting for network.

Code:
iface enp161s0f1 inet manual

auto vmbr5
iface vmbr5 inet manual
        bridge-ports enp161s0f1
        bridge-stp off
        bridge-fd 0
#direkt an LanCom-Router


many thanks for help and ideas.

best regards
 

ph0x

Active Member
Jul 5, 2020
585
84
28
As usual: it depends.
Putting the networks on bridges gives an attacker another attack vector, but you have to assess if this is realistic, i.e. can the bridge be used from anywhere else (probably not).
Same goes for VM vs bare metal. If the firewall has a 0-day then an attacker can control the networks, regardless if virtual or not. There are other ways to move laterally than breaking out of a VM, but it is another attack vector.
On the other hand, a virtual firewall can be rolled back if you misconfigured it, it can be in a HA state, so there are also advantages.

So it all boils down to your security assessment combined with the financial effort you want to put in there. Personally, I have a bare metal firewall, but only since I had that before my HA Proxmox cluster. Maybe I will switch to a VM if it dies someday ...
 
Mar 19, 2018
25
1
8
32
Thank you very much for your response.
I already think further this topic.

ATM a bare metal is running but the hardware is out of date. My Proxmox cluster is brand new with more power than i need.
With that i start to think to virtualize my firewall.

Maybe i do an hybrid solution as "half HA".

I will use the VM as backup solution for a while if the bare metal breaks.
In this case i dont need an second hardware already finish.
I have time to repair and setup the new metal. While this time i can provide my network services in an an clone of my bare metal as vm.

best regards
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!