Is it recommended to run a firewall/router on a virtual machine?

networking firewall virtual-machine router virtualization

Really the right way to do things is the opposite of how you are approaching, if security is a paramount concern. You'd want to run the router/firewall on the bare metal, and host a VM within that for standard desktop or server usage.

Forgive my crappy MS Paint illustration.

enter image description here

If you bridge the VM's NIC and the LAN NIC (from the bare metal OS), they can appear as the same "LAN" interface for the purposes of firewalling or routing.

Most of the security issues would be if someone were to go up to the console while this is running and disable your router/firewall VM or disable bridging/unbind your NIC from the VM - or if someone were to remote into the system and do that. There's a possibility, as always, that malicious software could do something wacky.

You could do this, and use any VM software if you wanted, but the disadvantage is if you use something like ESX, you'll need to RDP into the desktop VM instead of directly accessing via console.

enter image description here


There are commercial products like Check Point former "VSX" Systems which serve "virtual firewalls" on a given hardware base. If we talk about VMWare or better cloud based firewalling. You setup a firewall "in" the cloud to segment the "internal" cloud "network" not the communication between a cloud and another network.

The performance is very limited and the performance in a cloud is shared. An asic-based firewall can do > 500GBps. A VMware based Firewall or switch does < 20GBps. To the statement LAN NIC could catch a flu from wire. You also could state that any intermediate device like switch, router, ips could also get exploited by in-transit-traffic.

We see this in "malformed" packets (aka frames, fragments, segments etc.) So one could state using "intermediate" devices is insecure. Also the German NIST called BSI stated some years ago that the virtual routers (like VDCs (Virtual Device Context - Cisco Nexus)) and VRF (Virtual Route Forwarding) is insecure. From a point of view, sharing resources is always a risk. User can exploit resources and reduce service quality for all other users. Which globally would place the whole VLAN and overlay technologies (like VPN and MPLS) in Question.

If you have really high demands on security I would use dedicated hardware and dedicated network (including dedicated lines!) If you ask if the hypervisor (especially in bare metal) is a special security problem in a common scenario... I would say no.


Typically, a virtual machine is connected to the network via a bridged connection (i.e. networking goes through the physical computer it's running on). To use the VM as a firewall means that all traffic can come in to the physical computer, then the packets are sent to the VM, filtered and then sent back out to the physical computer. Since the physical computer can take unfiltered packets and is responsible for distributing the packets to the rest of the network, this is exploitable to send unfiltered packets around the network.

Related

Where should I install my app on Linux?
VirtualBox/Ubuntu mouse disappears
Difference between proxying and routing
Ansible command-task runs into "Exec format error"
Maximize window when dragged to top in Mint/Cinnamon
Launching programs with GUI without display manager
Checking if a key is present on the windows registry through batch file
How to rollback a specific directory in ZFS snapshot?
Lost graphical boot after an upgrade from Ubuntu 9.04 to Ubuntu 9.10
How to uninstall VMware player in linux
How to remove duplicate dirs from $PATH?
Ctrl + Alt + Del using "Apple Magic Keyboard 2 with keypad" on Windows