Re: VM system for firewall use

[Christopher Hicks <chicks () chicks net>]

On Tue, 12 Oct 2004, Paul D. Robertson wrote:
> there's something to be said for putting in as much protection as possible

If they're trying to produce a product then overkill shouldn't be an 
option.

To me the only missing piece in the jail/MAC solution is something that 
would analyze the communications between compartments for validity.  I'm 
not aware of any such thing in the FOSS world, so if you know of such a 
beast let me know.  :)

VM's are great (and I use vmware for development and its paid for itself 
many times over) and we're looking at using a VM solution in a "shared 
dedicated server" offering as many others have done.  But thinking a VM is 
a security solution is the eqiuvalent of an etherswitch being a security 
solution.  People have often put in switches where they were too lazy to 
clean up the plaintext passwords going across the network when they should 
have been encrypting the data as a higher priority than the etherswitch. 
I think that analogy works here too.  VM's are neat and they may provide 
some additional protection to jail/MAC, but I have difficulty seeing how 
the jail/MAC shouldn't come long before the VM.  And as Paul said since 
you lose MAC across VM's you may in fact be making it less secure.

--
</chris>

Westheimer's Discovery:
  "A coupla months in the laboratory can save a coupla hours in the library."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards