Re: Virtualization and firewalling?

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 22 Mar 2007, Carric Dooley wrote:

> The only firewall virtualization I have seen is VSX, Crossbeam, and 
> Shasta, but I don't know of any host-based solution per-se.  Is there some 
> issue I'm missing (since I have not tried this myself) installing some 
> centrally managed host-based FW/IPS on VM's?

Well, first of all, with the machine to machine failover VM environments, 
you can start to do interesting things with firewalling on the hosting OS 
versus at a chokepoint in the network (so you get internal firewalling for 
free, for instance.)  But more interestingly you actually start to get 
pseudo-out-of-band inspection and protection and with KVM, the ability to 
add hosting OS tagging for compartments or layers.  

Unless you really bozo the code, you're essentially able to move filtering 
into the reference monitor layer and start to do really interesting MAC 
stuff in a "central" location.  If you're a NIDS kind of folk, you can do 
all that NOOP sled detection on a commodity platform without adding new 
hardware to your network and the same with firewalling- after all, if the 
hosting OS isn't up you've got bigger problems.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
             http://www.fluiditgroup.com/blog/pdr/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards