Re: [fw-wiz] AIX LPAR security

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 05/25/04

Next message: LazloCarreidas_at_netscape.net: "[fw-wiz] PIX dropping packets with source port 80"

Previous message: John Kougoulos: "Re: [fw-wiz] Prohibiting SSL VPNs"
In reply to: hermit921: "[fw-wiz] AIX LPAR security"
Next in thread: Devdas Bhagat: "Re: [fw-wiz] Worms, Air Gaps and Responsibility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: hermit921 <hermit921@yahoo.com>
Date: Tue, 25 May 2004 11:08:24 -0400 (EDT)

On Mon, 24 May 2004, hermit921 wrote:

> I have been asked about the advisability of putting some AIX LPARs outside
> the firewall and some inside the firewall, with all LPARs on the same
> hardware. The LPARs are virtual machines with dedicated RAM, CPUs, disk,
> etc. but I don't know how complete the separation really is. Is there a
> known reason to not split LPARs across the firewall?

Depends on how much you "trust" the virtuality. It also depends somewhat
on what your threat profile is- if you expect well-funded, technically
competent attackers, then I'd err on the side of physical separation. It
also may be preferable to put them all outside, but in two distinct zones,
depending on what's on each set and what needs access to it.

Breaking out of VMs is starting to become "interesting" to at least the
high-end malcode attacker set, since x86 VMs tend to be where malcode is
analyzed. I think that both VMWare and Virtual PC have had to do security
patches. That doesn't translate directly to the AIX implementation, but
it does speak to the community starting to understand and find weaknesses
in such systems.

Without real info, it's difficult to do a complete risk assessment. But
for security, physical separation always wins, and for cost, virtual
security always wins. You'll have to decide where you want things
balanced.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: LazloCarreidas_at_netscape.net: "[fw-wiz] PIX dropping packets with source port 80"

Previous message: John Kougoulos: "Re: [fw-wiz] Prohibiting SSL VPNs"
In reply to: hermit921: "[fw-wiz] AIX LPAR security"
Next in thread: Devdas Bhagat: "Re: [fw-wiz] Worms, Air Gaps and Responsibility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]