Firewall for VMware vSphere virtual machines
We have been using VMware vSphere in an environment where VM admins are not to be trusted as they are only customers who purchase resources from us. It might happen that they use their virtual machine and the assigned public IPv4 address to spoof network packets, share illegal materials over various P2P networks or attack other VM guests locally.
VMware offers no solutions for the above problems, the assumption is that ESX hosts are supposed to be inside of a protected corporate environment. Networking is done via virtual switches which only implement little network security.
What we need to prevent:
- MAC, IP spoofing
- Illegal P2P traffic
- Illegal SMTP traffic (spam relays, etc)
What we already have:
- Forged transmit protection: VMware knows the MAC addresses associated to the network interfaces of the VM, so it can drop packets with forged source addresses. (Doesn’t protect against IP spoofing)
What we did:
We created a small virtual machine where we installed OpenWrt, a small yet efficient Linux based firewall/router solution for embedded systems.
The VM parameters were:
CPU: 500mhz
RAM: 32MB
HDD: 64MB
Network interfaces: 2
The actual image only took 10MBs which already included every tool we needed.
Then we connected the interfaces between the VM and the outside network, and created a software bridge.
Benchmarking:
We ran tests on an ESX server (4.0) with a quad core E5420 Xeon CPU.
Initiating a P2P network traffic from the protected VM resulted in 100% CPU pull for the bridge VM, the network troughput couldn’t go any higher than 3.5MB/s. Increasing the CPU limit for the VM resulted in linear growth of network troughput. With 1Ghz we had 7MB/s, and without CPU limitation the CPU usage went up to 1.6Ghz maximizing our 100Mbit/s uplink. Turning on and off the firewall with many Layer2,3,7 rules didn’t seem to affect the throughput performance. At least we knew that the bottleneck was the CPU and the bridge.
The results were somewhat disappointing so we started to dig further.
Our first guess was that the 32bit Bridge VM didn’t use the HW Virtualization Technology in the CPU. To have VMware use the HW method we had to port openwrt to x86_64 CPU. The task was not easy and trivial but we managed to create an image. For our disappointment the results were nearly the same if not worse. Checking through pubications and papers we found that engineers at VMware made SW virtualization better than Intel-VT. URL
In almost every of their benchmarks the software method was faster. Funny thing for Intel.
Bottom line:
We implemented our ideas into the Bridging Firewall VM, changed the port groups of the VMs to be protected and now they are spam, warez and dos-attack free.
Do you need a production ready application-level firewall in your vSphere environment similar to this one? Contact Us!
Posted 2010/04/29 00:02 by jos
Dunhill leather watches Says:
Thank you for sharing with me. Those are very beautiful and i hope that you continue to make more of them.
Bally it bags Says:
This article is good, very good, let I learned a lot from ~ you don’t miss, hurry to join!
Longines watches for husband Says:
Articles are moving every reader with heart, and full of appeal. Let us have to admire, thank your article!
Louis Vuitton bags for lady Says:
Thank you! I LOVE this. I made one. I use it all the time. I will be posting a picture of mine and providing a link on my blog.
cheap lolita dresses Says:
Greetings thanks for fantastic submit i used to be looking for this situation survive a couple of times. I will search for subsequent precious posts. Have enjoyable admin.
Lolita Dresses Says:
Hey there thanks for wonderful post i was seeking this case survive a couple of times. I’ll look for subsequent valuable blogposts. Get pleasurable management.
Firewall Says:
Hello are using Wordpress for your site platform?
I’m new to the blog world but I’m trying to get started and create my own.
Do you need any html coding knowledge to make your
own blog? Any help would be greatly appreciated!
Twitter Marketing Says:
I was suggested this website by my cousin.
I’m not sure whether this post is written by him as nobody else know such detailed about my trouble. You are wonderful! Thanks!
should christians have anal sex Says:
Hmm is anyone else encountering problems with the pictures on this blog loading?
I’m trying to determine if its a problem on my end or if it’s the blog.
Any feedback would be greatly appreciated.
www.celinebags-jp.com Says:
Finkelstein wonders what number of will utilize automatic ones.
I think it can be great to find out young people so committed
for the political process – regardless of whether they favour another candidate.
Some with the marketers even claim that the use brand promotion through tote bags is surely an outdated technique.