What is the best Vmware firewall?

[Issom]

I have a physical HA Sonicwall pair so the Edge firewall is already taken care of.

What VM firewall can I use between my web server DMZ and internal private servers? 

I was trying to move toward the three tier network architecture with a VM firewall to separate private network from dmz.

 

Here is an example.

Cloud> Edge Firewall (physical)> DMZ Web servers> VM Firewall> Private network 

 

Thanks for the help

[leadeater]

Can't you just route the traffic back through the Sonicwall's? Some basic VLANs and routing should do the trick.

[Issom]

That is a good idea but I was looking at it like if someone was attacking my network and compromised the edge firewall I wanted a second firewall to slow them down further. 

[leadeater]

1 minute ago, Issom said:

That is a good idea but I was looking at it like if someone was attacking my network and compromised the edge firewall I wanted a second firewall to slow them down further. 

True but that is actually rather unlikely, hardware failure and mis-configuration is more common and extra complexity increase the likelihood of it. Also if someone does manage to actually break through the firewall using a flaw then the second one would have to be of a different brand to actually stop them else they'll break through that one the same way.

 

Most firewall vendors have virtual firewall appliances, it would be simpler to name ones that don't which I don't know of any. All comes down to cost really, are you prepared to pay for more firewalls?

 

Also have a look at implementing private VLANs as that can give much better security than a firewall alone can do. 

[Mikensan]

I would instead put an IDS/IPS box/vm in place for that very reason. Or use a network monitoring solution to send you alerts based on xyz rules. Otherwise you're just creating hurdles for somebody that is probably going to be compromising your firewall undetected anyway. What's one more firewall at that point? 

 

VLAN + IPS/IDS + NMS would be a very solid solution. Nothing wrong with the onion approach, but if you never see them or detect them - what's the point? Nothing is bullet proof, just time consuming.

[harry4742]

well add firewalls or add virtual firewalls (VyOS, pfSense, Sophos, Checkpoint...)

[Altecice]

Pfsense is the "go to" router/firewall. You can even add Snort for some IDS.

[Sunshine1868]

NSX.

 

you can't afford it, but that's the solution...

 

or you hairpin all of your traffic from those VMs out through their own vSwitch to the SonicWall (which is garbage by the way... have a look into Palo Alto or Fortinet)

[leadeater]

52 minutes ago, Sunshine1868 said:

NSX.

 

you can't afford it, but that's the solution...

 

or you hairpin all of your traffic from those VMs out through their own vSwitch to the SonicWall (which is garbage by the way... have a look into Palo Alto or Fortinet)

PVLANs can also do a very good job of adding extra network level isolation, but that requires vSphere license and distributed vswitch (DVS) if using ESXi. Windows Server 2016 also has inbuilt SDN features, VXLANs etc, but I've only lightly tried it out using Azure Stack and that does all the setup itself so I may as well say I haven't used it. 

 

You can set things like domain controllers to community PVLANs so all servers can talk to them but for other VMs only allow traffic between them that are part of the same service and actually need network access to them.

[Sunshine1868]

I'm just going to assume that since he's talking about this in the LTT forum and not his hypervisor/sonicwall forum/support that he doesn't have the money for NSX or any other vSphere licensing...let alone XenServer XAXD licensing or HyperV enterprise licensing hahaha

[Issom]

Thanks for all the recommendations. I don't want to get to complicated as I have to manage what ever we decide to go with. Sophos and pfSense look like decent starting points.

[Sunshine1868]

On 12/16/2016 at 7:58 AM, Issom said:

Thanks for all the recommendations. I don't want to get to complicated as I have to manage what ever we decide to go with. Sophos and pfSense look like decent starting points.

I'd go Sophos UTM - it's L7 (unlike pfSense) and I've had some bad experiences with pfSense as an enterprise solution (I'm assuming you're an enterprise considering you're running ESXi and a SonicWall)

[Blake]

On 12/15/2016 at 11:47 PM, Altecice said:

Pfsense is the "go to" router/firewall. You can even add Snort for some IDS.

if by "go to" you mean for personal use and small businesses. I'd even go so far as to say, Dell SonicWall (or insert brand names' equivilant) is the defacto.

 

Why? because when there are 3 of you and there are 100+ sites when it breaks you call dell and they sort that shit out. when the machine pfsense runs on breaks while it is a relatively simple fix (repair/replace, reimage, reconfigure, or even use a backup to a new system) that is still far too much work to do during a potential outage (yes you should have some sort of EIGRP deployed to make use of redundant links, but management wont always approve the budget), especially considering your are already over worked.

 

Too be honest this may have changed, i'd assume it has, last time I looked at pfsense in any detail was 2007 and they didn't even support OSPF back then (seriously RIPv2 only, who has time to manage a network line that?).

[Sunshine1868]

@Blake is right - Support is 99% of the reason enterprise/businesses don't build their own machines/solutions. It is a better investment than building your own and hoping it doesn't crash.

[harry4742]

17 hours ago, Blake said:

if by "go to" you mean for personal use and small businesses. I'd even go so far as to say, Dell SonicWall (or insert brand names' equivilant) is the defacto.

 

Why? because when there are 3 of you and there are 100+ sites when it breaks you call dell and they sort that shit out. when the machine pfsense runs on breaks while it is a relatively simple fix (repair/replace, reimage, reconfigure, or even use a backup to a new system) that is still far too much work to do during a potential outage (yes you should have some sort of EIGRP deployed to make use of redundant links, but management wont always approve the budget), especially considering your are already over worked.

 

Too be honest this may have changed, i'd assume it has, last time I looked at pfsense in any detail was 2007 and they didn't even support OSPF back then (seriously RIPv2 only, who has time to manage a network line that?).

Try to go with OSPF and skip the legacy routing