On Thu, May 8, 2008 at 3:37 PM, Terry <td3201 (at) gmail (dot) com [email concealed]> wrote:
> Hello all,
>
> I am throwing around the idea of using linux firewalls in
> vmware for customer environments. The customers may or may
> not have
> HIPAA/PCI/sOX/etc requirements. This is in the planning
> stages. Any of you have experience heading down this route?
> PCIDSS doesn't explicitly state problems with virtual
> firewalls, it seems to focus on the logic of the rules.

<soap box>
Personally, I hate using specs to try and define the level of security.
They tend to reflect the lowest common denominator and motivate
organizations to "audit well" rather than perform a true risk analysis
and deploy a security solution which matches that business need.
</soap box>

The above specs are general enough that a pass/fail is going to depend
on who is doing the analysis. For example as you mentioned above,
section 1 of PCI does not define a required architecture for a firewall.
So if you are running virtual it's going to depend on the auditor's
interpretation of PCI as to whether you pass/fail. Of course these days
auditing is a commodity. If you don't like the results you get from one
auditor, simply bring in another. There is nothing in PCI that says you
can't do that. ;-)

I think the bigger question here is "Is vitalizing a perimeter device a
good idea for our environment?". It certainly has some pluses in that it
can reduce hardware costs and simplify management. I can see where
vitalization would be attractive to anyone selling a managed security
solution. This is why you are seeing companies like Fortinet, Juniper,
Cisco, Checkpoint, etc. moving their higher end products into this
arena.

When we start asking ourselves "is it safe?" however I think the answer
changes a bit. If I'm running two virtual firewalls for two different
clients, I'm relying on bug free software to maintain that separation.
Personally I have yet to see a single vendor prove they can write code
well enough for that.

In my travels I've seen clients get whacked because they have relied on
VLANs to segregate their DMZ and internal network (which can be argued
is a "virtual system" because its nothing more than multiple virtual
switches running on a single piece of hardware). So now let's move that
problematic technology to the underlying architecture of the firewall...
and what could possibly go wrong. ;-)

So the bottom line is I would rely on a risk assessment rather than a
specification to decide if it's a good idea. If from a business
perspective the benefits outweigh the potential security risks, you are
good to go. If you decide virtual systems introduces too much of a risk
exposure, avoid the implementation.

HTH,
Chris

[ reply ]