Is a virtual firewall (router) more secure than a physical firewall?



  • We have decided to implement virtual firewalls, which will be hosted by a Windows Server 2016 via Hyper-V. The hypervisor will also host the DB, DC. However, the firewall will be configured with it's own dedicated NIC on the hypervisor. We're having some discussions on the pros and cons? One of them would be there would be a single point of failure if the hypervisor were to go down, they would then lose internet. Any other pros and cons that you know of? Would it be more secure this way?



  • You already have a virtual firewall included with every windows installation. Windows Firewall.

    But to answer the question, if you lose control over a physical or virtual device, you have lost everything (that is secured) so I'd consider them equally vulnerable.



  • @DustinB3403

    I should have been a little more specific. This customer once had a physical Watchguard router, which will now be a virtual Watchguard hosted on their hypervisor via Hyper-V. I never really hear about virtual router implementations, which is why I'm a little confused why our group decided to implement this way of routing their traffic. I imagine it's cost saving, since you would only have to pay for the license and not the hardware from Watchguard.



  • So my $0.02:

    "Security" is a fleeting and oft misabused idea... The capacity to secure the client's network should be the same for a firewall properly implemented as a VM or as a physical appliance. Off the top of my head, implemented properly means that you're not sharing NIC vswitch or anything else with any other guests and that the hypervisor and host are kept fully patched.

    Off the cuff, it's easier to ensure the level of security on a physical firewall or appliance as there are fewer moving parts, as a VM you have to keep on top of updates to the Firewall vm as well as the underlying hypervisor and the physical host. Failing to do so leaves you open to inter-vm snooping attacks using SPECTRE / MELTDOWN and their associated vulnerabilities.



  • @Fredtx said in Is a virtual firewall (router) more secure than a physical firewall?:

    @DustinB3403

    I should have been a little more specific. This customer once had a physical Watchguard router, which will now be a virtual Watchguard hosted on their hypervisor via Hyper-V. I never really hear about virtual router implementations, which is why I'm a little confused why our group decided to implement this way of routing their traffic. I imagine it's cost saving, since you would only have to pay for the license and not the hardware from Watchguard.

    The hardware is barely a cost - EdgeRouters are are clear showing of that, and Ubiquiti still makes a profit on their very inexpensive boxes.



  • @notverypunny said in Is a virtual firewall (router) more secure than a physical firewall?:

    as a VM you have to keep on top of updates to the Firewall vm as well as the underlying hypervisor and the physical host. Failing to do so leaves you open to inter-vm snooping attacks using SPECTRE / MELTDOWN and their associated vulnerabilities.

    This seems to be the biggest reason not to do this. You're exposing more potential vulnerabilities to the outside world by exposing your VM host to the outside world this way.

    Wasn't there a direct vulnerability a few years ago against VMWare - if someone had direct access - like this - they could own the box? Sure Travis is posting nearly daily on how Cisco devices have this issue as well, but at least if they only breach the firewall, they don't automatically breach your internal security, your VMs, etc. it would take more work.



  • @Fredtx said in Is a virtual firewall (router) more secure than a physical firewall?:

    @DustinB3403

    I should have been a little more specific. This customer once had a physical Watchguard router, which will now be a virtual Watchguard hosted on their hypervisor via Hyper-V. I never really hear about virtual router implementations, which is why I'm a little confused why our group decided to implement this way of routing their traffic. I imagine it's cost saving, since you would only have to pay for the license and not the hardware from Watchguard.

    Physical is more secure, for two reasons. One, less software to attack. Second, less networking to attack. That's not to say that virtual isn't secure, but when comparing, it is less secure.



  • Thanks everyone for y'alls input as I value the knowledge. This all makes perfect sense. I was just chatting with my colleague's about these details and they are making sense of it too.


Log in to reply