Re: [fw-wiz] VM system for firewall use

From: Christopher Hicks (
Date: 10/12/04

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] VM system for firewall use"
    To: Firewall Wizards Mailing List <>, "Paul D. Robertson" <>
    Date: Tue, 12 Oct 2004 12:13:35 -0400 (EDT)

    On Tue, 12 Oct 2004, Paul D. Robertson wrote:
    > there's something to be said for putting in as much protection as possible

    If they're trying to produce a product then overkill shouldn't be an

    To me the only missing piece in the jail/MAC solution is something that
    would analyze the communications between compartments for validity. I'm
    not aware of any such thing in the FOSS world, so if you know of such a
    beast let me know. :)

    VM's are great (and I use vmware for development and its paid for itself
    many times over) and we're looking at using a VM solution in a "shared
    dedicated server" offering as many others have done. But thinking a VM is
    a security solution is the eqiuvalent of an etherswitch being a security
    solution. People have often put in switches where they were too lazy to
    clean up the plaintext passwords going across the network when they should
    have been encrypting the data as a higher priority than the etherswitch.
    I think that analogy works here too. VM's are neat and they may provide
    some additional protection to jail/MAC, but I have difficulty seeing how
    the jail/MAC shouldn't come long before the VM. And as Paul said since
    you lose MAC across VM's you may in fact be making it less secure.

    Westheimer's Discovery:
       "A coupla months in the laboratory can save a coupla hours in the library."
    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] VM system for firewall use"