[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: Re: [fw-wiz] VM system for firewall use
From: Christopher Hicks <chicks () chicks ! net>
Date: 2004-10-12 16:13:35
Message-ID: Pine.LNX.4.60.0410121205110.5021 () skippy ! fini ! net
[Download RAW message or body]
On Tue, 12 Oct 2004, Paul D. Robertson wrote:
> there's something to be said for putting in as much protection as possible
If they're trying to produce a product then overkill shouldn't be an
option.
To me the only missing piece in the jail/MAC solution is something that
would analyze the communications between compartments for validity. I'm
not aware of any such thing in the FOSS world, so if you know of such a
beast let me know. :)
VM's are great (and I use vmware for development and its paid for itself
many times over) and we're looking at using a VM solution in a "shared
dedicated server" offering as many others have done. But thinking a VM is
a security solution is the eqiuvalent of an etherswitch being a security
solution. People have often put in switches where they were too lazy to
clean up the plaintext passwords going across the network when they should
have been encrypting the data as a higher priority than the etherswitch.
I think that analogy works here too. VM's are neat and they may provide
some additional protection to jail/MAC, but I have difficulty seeing how
the jail/MAC shouldn't come long before the VM. And as Paul said since
you lose MAC across VM's you may in fact be making it less secure.
--
</chris>
Westheimer's Discovery:
"A coupla months in the laboratory can save a coupla hours in the library."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic