'Re: IPFilte 5.1.0 RC1'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: IPFilte 5.1.0 RC1
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2009-07-27 7:39:10
Message-ID: 8438_1248680731_4A6D5B1B_8438_3534_1_4A6D599E.8070101 () reed ! wattle ! id ! au
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Blaster wrote:
| Darren Reed wrote:
|> FWIW, this version is zone-friendly for Solaris/OpenSolaris,
|> unlike 4.1.* is.
|>
|>   
|
|
|
| I have several installations where I have done a two level firewall 
arrangement using Ipfilter where an external facing hosts runs a web 
server/FTP/mail/NAT, etc.  Connected via crossover to another host 
running Ipfilter that functions as the internal mail/DNS/Web/NFS/CIFS 
server, etc.
| With the cost of computing power going down, and electricity going up, 
it would be nice to put these two layers of security on to one system.
| My original thought was to run the external host in an xVM 
environment.  I would think this would provide the most separation 
possible on a single box.  But I am also wondering if a zone would 
provide the same isolation?  This would save the overhead of running xVM 
and maintaining two separate copies of an OS (which of course has 
advantages as well).
|
| So, how do others feel about the isolation of zones in OpenSolaris?  
Are they strong enough?  If I were to dedicate an interface to a zone to 
communicate the the big Internet, could I use Ipfilter to firewall that, 
then use Ipfilter again to isolate between a local and a global zone?

Yes, you can do that with OpenSolaris - or Solaris Express (SXCE) [if it 
installs for you...]

You can'd do this with Solaris 10.

What you need to do, in this case, is create an etherstub and "attach" a 
vnic from your internet zone to it and a vnic from your global zone to 
it. Your internet zone them becomes your router and the etherstub acts 
as a virtual switch.

The benefit, w.r.t Xen, is that there's no virtualised I/O, not even 
paravirtualised.

It's not just the security of the system that you need to weigh up, but 
also your DR solution (if appropriate) - if your firewall crashes, so 
does everything else disappear and vice versa.

Darren
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iEYEARECAAYFAkptWZ4ACgkQP7JIXtvLbFVSowCfQ1ct76k8GM5QfHF8qAkaYJ4a
0HIAniykGOpKOeSr9OZ9hEzK15RCo+NI
=hGMe
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic