Upload
brian-drew
View
1.310
Download
1
Embed Size (px)
DESCRIPTION
using the previously described vsphere lab, I created a dedicated ipcop firewall as a virtual machine to secure my home networks.
Citation preview
My Virtual Firewall
by Brian Drew
Last time I shared my home vSphere environment that I use to test and train on. I got a lot of positive feedback and wanted to follow up with my virtual firewall configuration.
Prior to implementation I had a Comcast cable modem and Windows firewall on each PC. That was the extent of it and I knew better. I needed something stronger.
• Overview
• Before and After
• Physical and Logical Components
• Next Steps
AGENDA
As always the information contained within is not meant to be an exhaustive how-to manual but rather represent what I used to build a secure network using my virtual lab.
I used IPCOP, an Open Source solution, on a virtual machine. The only “stickler” is the network config but that is easy too. The end-result is a decent, dedicated firewall and a little extra learning to boot.
• I feel good about the IPCOP solution. I might give Microsoft Forefront Threat Management Gateway a try when I get some free time but for now I’m satisfied.
• I thought it worth showing before and after pics to get the overall jist of things.
• This is the BEFORE…..
OVERVIEW
AFTER -
PHYSICAL
• By using that 3rd NIC in each HP ProliantMicroServer I was able to create the required environment.
• Caveat – notice the un-used on-board NIC on the other ESXi host.
• In vSphere the networking looks like this on both hosts. I did not use vDS this first time around.
• Notice the ipcop VM is on 2 virtual switches
• The corresponding physical connections are then madeAFTER -
LOGICAL
• The ipcop server is set as the default gateway now for all devices on that LAN segment.
• All packets must go through the firewall inbound and outbound.
• Security is now up to the configuration of ipcop.
• To me that is a LOT better than having individual firewalls on each and virtual machine.
• Make sure to turn them all off if you go this route.
• You still need anti-virus.
IT’S
BEAUTIFUL
• Go through icop documents and button things up if desired
• Other services that can be enabled include DHCP, NTP and Intrusion Detection – all are already “in the box” waiting to be enabled.
• I use all the services now – point ESXi servers at it for NTP. The Intrusion Detection is particularly interesting.
• Back to that unused network port. Regretfully, since I don’t have sophisticated equipment at home, when a ESXi host failure occurs, I need to move the cross-over cable to the other, live ESXi host. Everything else will take care of itself.
• THE END
NEXT STEPS