I would like to use a LXD container as firewall for my (mostly virtual) network.
I have a very simple setup:
- a LXD server running several containers; relevant ones are:
- a firewall sporting three independent zones (RED, ORANGE and GREEN)
- a web server that should bereachable from the Internet (on ORANGE)
- TWO modem-routers I need to use for redundancy (failover) (on RED)
- an internal LAN with hosts that need to be able to reach both Internet and web server
- LXD server has two physical NICs I plan to use for RED and GREEN.
Rough diagram is as follows:
*****INTERNET*****
| |
ModemA ModemB
(192.168.6.1) (192.168.6.2)
| |
RED (192.168.6.0/24) =====================
|
/----------------------------------------+-------------------------------------------\
| LXD server | eth0 |
| (192.168.6.3) eth1 |
| +--------EFW(LXD container)----------------------------+------------+
| (192.168.8.1) (192.168.7.1) | |
| | | |
| ORANGE (192.168.8.0/24) ===== | ===================== GREEN (12.168.7.0/24)
| | | | | | |
| Server(LXD container) | PC1 PC2 PC3 WiFi-A.P.
| |
\------------------------------------------------------------------------------------/
I have several questions about this:
- I know “standard advice” is to put the Internet Firewall on a dedicated machine
with all LAN segments physically separated, OTOH I don’t really need Corporate-grade security;
how much am I at risk with such a setup?
- In general ORANGE should never leave LXD server.
- No LXD container should access either RED or GREEN directly (besides Firewall, of course).
- What is “best practice” in this case?
- Is it something somehow seen or am I plain crazy?
Thanks for any comment
Mauro
Not a complete expert in network security but I’d say that yes, having a dedicated machine for the Internet Firewall and physically separated LAN segments is the recommended approach for corporate-grade security. But as you say, you don’t need that.
So in your case, I think that using a LXD container as a firewall can still provide a good level of security for your network if you do the following:
- Try to use separate physical NICs for each network zone (RED, ORANGE, GREEN) to prevent any potential cross-contamination.
- Apply firewall rules to restrict traffic between zones and only allow necessary traffic.
- Keep the firewall container up-to-date with security patches and updates.
- Limit the access to the firewall container itself to authorized users only.
Now, regarding your specific setup, using two modem-routers for redundancy/failover on the RED zone can provide some level of redundancy, but it’s important to ensure that they are properly configured and secured to prevent any potential vulnerabilities from being exploited. What were your initial thoughts on configuring this ?
Also, in terms of risk, it is hard to say. It depends on various factors such as the type of traffic on your network and the sensitivity of the data being transmitted.
Overall, you are correct that in general, it is best practice to isolate the ORANGE zone within the LXD server and not allow any other containers to access RED or GREEN directly. To ensure proper isolation, you can configure the firewall container to only allow necessary traffic between zones, and block all other traffic. You can also use LXD’s network configuration options to control which containers have access to which NICs, and use VLANs or other segmentation techniques to further limit access. As a side note, if you have spare time and energy, you can implement other security measures such as intrusion detection and prevention systems (I’ve heard that Suricata is doing a decent job for that matter), packet filtering, and network monitoring to detect and prevent potential attacks.
I don’t know if I answered you question properly. @tomp do you have any inputs on that ?
Thanks gabrielmougard,
to clarify (following bullets):
- I plan to have separate physical NICs for RED and GREEN,
ORANGE will not have any physical NIC as it will reside entirely within LXD server.
- I plan to install a ready-made “Firewall Distribution” in a LXD VM;
I am currently evaluating:
- Endian FireWall: simpler, choice if it proves able to handle failover.
- OPNsense: much more complex, can surely do what I need but could be oversized.
AFAIK both include intrusion detection and prevention.
- I assume whatever distribution I chose it will have proper security fix handling.
- Currently this is easy as I’m the only person authorized
I plan to access FW only fro GREEN and enforcing certificate checking.
As for the modem-routers:
- I have limited choices there because they are provided by my ISPs.
- I plan to disable all “high level” functionality on both modems.
- ModemA has dynamic IP (mostly stable, but it can change and is “not routable”;
I plan to use it for outgoing traffic originated from GREEN (uplink)
- ModemB has fixed and routable IP, so I need to use it to access my server(s);
plan is to redirect all ports to firewall and use it for “reverse proxy”.
- in case of failover only outgoing traffic can be recovered (if ModemA fails),
Incoming traffic could be crippled if ModemB fails as I haven’t a second fixed IP.
In case of long-lasting problems I can think about using DynDNS or eqivalent,
but that’s not a priority ATM.
I don’t see reason to further section network using VLANs, but I will consider
advice on the matter.
Many thanks
Mauro
1 Like