Re: [fw-wiz] VM system for firewall use

From: Christopher Hicks (
Date: 10/12/04

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] VM system for firewall use"
    To: Firewall Wizards Mailing List <>, "Paul D. Robertson" <>
    Date: Tue, 12 Oct 2004 12:13:35 -0400 (EDT)

    On Tue, 12 Oct 2004, Paul D. Robertson wrote:
    > there's something to be said for putting in as much protection as possible

    If they're trying to produce a product then overkill shouldn't be an

    To me the only missing piece in the jail/MAC solution is something that
    would analyze the communications between compartments for validity. I'm
    not aware of any such thing in the FOSS world, so if you know of such a
    beast let me know. :)

    VM's are great (and I use vmware for development and its paid for itself
    many times over) and we're looking at using a VM solution in a "shared
    dedicated server" offering as many others have done. But thinking a VM is
    a security solution is the eqiuvalent of an etherswitch being a security
    solution. People have often put in switches where they were too lazy to
    clean up the plaintext passwords going across the network when they should
    have been encrypting the data as a higher priority than the etherswitch.
    I think that analogy works here too. VM's are neat and they may provide
    some additional protection to jail/MAC, but I have difficulty seeing how
    the jail/MAC shouldn't come long before the VM. And as Paul said since
    you lose MAC across VM's you may in fact be making it less secure.

    Westheimer's Discovery:
       "A coupla months in the laboratory can save a coupla hours in the library."
    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] VM system for firewall use"

    Relevant Pages

    • Re: [PATCH] mm: migration: Use rcu_dereference_protected when dereferencing the radix tree slot duri
      ... The point of the RCU protection there is part of getting a stable reference ... tree is double checked to ensure it is the expected page. ... The caller does not hold the RCU read lock but it ... I'm not Paul but I can read the code in include/linux/rcuupdate.h. ...
    • Re: USTAFISH: tinfoil hat, issuance of.
      ... Paul H. Lemmen wrote: ... >> the spirits locker and take on sufficient protective chemicals ... >> minds are present in those applying for chemical protection. ...
    • Re: Ramsesses II
      ... Ignorance is no protection against reality. ... -- Paul J Gans ...
    • Re: protect cells
      ... Paul B ... >> By default all cells in excel are protected or locked, ... >> go to tools, protection, and protect sheet, enter a password if you want, ... >> Feedback on answers is always appreciated! ...