r/sysadmin • u/drc997 • 1d ago
Internal firewall Question
Hi, we have a simple setup hosted in a data center. Firewall, switch, virtual machines. The VM's are mostly web servers and database servers. We are looking to separate the two into a production network and data network and firewall the two apart. I know I can do this with VLAN's and use the main firewall to control access to the data network but it feels like if the edge firewall has access to the data network it defeats the purpose of having them on a separate network. Are there any recommendations for a software firewall I can create as a VM that are free or cheap that are not the standard pfsense and such? The main firewalls are watchguards and I know I can get a watchguard VM but the cost seems high for what it is going to do? What is typically used in the enterprise as a simple internal firewall?
10
u/YSFKJDGS 1d ago
The edge firewall being able to handle both networks does NOT defeat the purpose as long you have half a brain to keep it properly secured. It is entirely fine to use the same box.
2
u/FatBook-Air 1d ago
Some environments (e.g., many governments, even local governments) are required to have separate boxes: one separating the internal network from the public internet, and one in front of all servers. The idea is that because the external one is exposed to the public internet without mitigation, it should be assumed compromised at all times.
•
u/YSFKJDGS 18h ago
Yep I definitely get that, but the mindset of "two is better" or that it will somehow save your ass from being terrible at configurations is the misnomer I am trying to argue against. If you suck at managing one, managing a second isn't your saving grace heh.
Back when I used to handle PCI we were able to skirt that rule by explaining how the virtual routers and stuff worked, but our audits we also proved every single firewall rule was working as expected as well.
•
u/FatBook-Air 17h ago
Oh, I haven't heard that exact mindset before. The only reason I know of that would be a (good-ish) reason to have both is that you want to protect something specific in your network, and you want to buy some time between when the more-external firewall is compromised to the time when attackers can get to the more-interior firewall.
Other than that, I cannot imagine someone setting up two just to have two. Lol
-1
u/drc997 1d ago
I'm sure most of the companies that were breached in the last decade had half a brain and thought they were properly secured also. While entirely possible, routing access to sensitive data using the edge firewall doesn't seem like a smart option. Sorry, sticking to my guns here and going to find a better way.
2
u/mkosmo Permanently Banned 1d ago
It's still standard practice in even the most highly regulated and secure environments. Anything that requires additional isolation is effectively required to be airgapped, which doesn't do you much good for what you described.
If you want to layer more, HIPS (or host-based firewall) is an option. Since they're VMs, you can also leverage your hypervisor's security group features.
-1
1d ago edited 1d ago
[deleted]
1
u/mkosmo Permanently Banned 1d ago
Now you're confusing two issues. The firewall segmentation has nothing to do with ALGs. They don't replace each other, but add additional capabilities to one another.
And with more modern security tooling, the idea of centralized ALGs is quickly going the way of the dodo except in legacy deployments where the modern tooling isn't compatible with the equipment or workflows.
1
u/QuantumRiff Linux Admin 1d ago
How is a hypervisor based firewall running on the same hardware as the vm’s, going to improve your security? If nothing else, you now have two devices with different configs, monitoring, and updating…
1
u/YSFKJDGS 1d ago
Most of the companies breached either had poor firewall rule segmentation, which dual boxes won't help with with that type of poor config, or they left devices unpatched, which again dual boxes doesn't solve by default.
If you can name a breach where the firewall itself was popped and allowed access to internal networks I am all ears, because the only one's you are going to find will be VPN based attacks, or maybe undisclosed ones where people left their management interfaces exposed to the internet. And, the VPN/management issue is not going to be solved by dual boxes without proper config, which then significantly reduces that type of risk.
With modern firewalls running multiple different virtual routers, vlans, proper rules, the dual box stuff doesn't help much. With modern devices, dual boxes really solves the problem of patch management when you've got something like a VERY high availability zone such as manufacturing where those firewalls are nested far enough down that not patching them is more acceptable.
4
u/superrob1500 Jr. Sysadmin 1d ago
Some device on the network is gonna have to access to both networks for routing purposes, I don't see where the virtualized firewalls help with anything. Even if the idea is sound, I think you're at a classic triangle/pick 2 problem here, if I'm understanding you correctly:
You want a virtualized Firewall.
You want it to be enterprise grade.
You want it to not be expensive or free.
It cannot be all 3.
1
u/drc997 1d ago
Your understanding is close. I realize some device is going to have access to both for routing purposes I just don't think it should be the same one that's connected to the public internet. As for the triangle, it can't be applied to every situation. a large portion of the world is run on enterprise grade, free, virtualized software.
3
u/superrob1500 Jr. Sysadmin 1d ago
I realize some device is going to have access to both for routing purposes I just don't think it should be the same one that's connected to the public internet.
Well friend I have to say that if you don't trust your edge firewall to stop outside intrusions I think you have other problems that adding layers of obfuscation and management complications won't necessarily fix.
As for the triangle, it can't be applied to every situation. a large portion of the world is run on enterprise grade, free, virtualized software.
I don't think that was implied, it does definitely apply here though.
1
1
u/_BoNgRiPPeR_420 1d ago
Most SMB networks only have the corporate edge firewall and all servers are accessible behind it. I'm usually impressed when they even have servers in their own VLAN - you'd think it's common sense in 2024, but apparently not.
Using a trunk up to the edge firewall and having that separate/inspect traffic to the server VLAN is a common approach that saves buying more internal firewalls. If you really need another physical set for compliance reasons or whatever, I'd just get something inexpensive like a Fortigate (or PfSense if you just need basic rules) and call it a day. If going the separate device route and you want all of the bells and whistles of an NGFW, I'd recommend using a different brand than the one at your perimeter, otherwise it's the same rule engines scanning all outbound traffic twice.
1
u/AffekeNommu 1d ago
Do all databases only talk to application servers? There are cases such as reporting and Access with SQL backend and some other bespoke applications that may not fit this assumption.
1
u/circularjourney 1d ago
How about just using nftables in the DB VMs or on the VM host? The config is probably simple and universal among all the DB VMs. Sending logs off to a syslog server is easy too.
Doing this could negate the need for segmentation in the first place.
1
15
u/theolint 1d ago
I'm not sure why you think it defeats the purpose of the firewall to have external and internal zones on the same device. A lot of mid-sized enterprises I work with route all subnets and terminate WAN connectivity on a single pair of Palo or Fortigate firewalls. It looks like those Firebox virtual firewalls are not very expensive, so if they cost too much for "what it is going to do", you need to consider if the added firewall and complexity is really bringing value.
If you want to run something free, I'm not sure why you are asking for "not the standard pfsense and such". What does "and such" include? There are not many free, excellent, widely used software firewall platforms. It basically boils down to OPNsense, or pfSense if you don't care about CE being diverged from the commercial product, or VyOS if you don't care about only having nightly rolling builds.