I currently use IPCop for our corporate firewall & VPN. I am looking to consolidate a number of servers, and am considering including the firewall server in the consolidation. I currently plan on using Server 2008 with Hyper-V for the virtualization. Has anyone out there tried virtualizing IPCop? Is there anything that I should be aware of? In particular, IPCop has somewhat limited hardware support for NICs - what hardware will the VM see for the network card?
SnapOverflow
Generally, I would advise against virtualising your firewall. It's another place for insecurity to happen. Web filter, VPN concentrator, yes - perimeter fw, no.
I would say, though, if you are going to do it, it will probably work. I work for SmoothWall (our GPL firewall was IPCop's grandaddy) and we have hyper-v some of our web filter products OK.
Last I looked, however, you were limited to one processor core under linux - so if high performance is required that may be an issue - though one core should be more than enough for a simple firewall job.
I have used several IPCop VMs on Hyper-V for the last year in production. They work generally OK for low-throughput use.
I have experienced the following issues:
I've not found a better solution for a Hyper-V virtualised firewall. Endian Firewall seems to display an even more pronounced throughput restriction (as low as 5Mbps on the same hardware / VM setup as above). Suggestions for a better solution would be very welcome!
I strongly recommend the firewall box to not be shared with other systems.
That said, I do virtualize my firewall. 1 VM in 1 Physical Box using XenServer. My reason to do that: snapshot ability, and real quick restore (grab another box, install XenServer, import .xva)