[ previous ] [ next ] [ threads ]
 
 From:  Paulo Meireles <paulo dot meireles at exxpert dot com>
 To:  Scott Myers <scott at paperstreettech dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] VMware based M0n0wall routing on the same server as a standard linux firewall... (recipe for disaster part 1?)
 Date:  Tue, 17 Oct 2006 20:15:58 +0100
The real question here is if a VMware virtual machine is isolated enough 
to be trusted as a security barrier. We consider it is.
We have several VMs connected to our DMZ through dedicated NICs (one NIC 
per VMware host). We considered using VLANs instead of dedicated NICs, 
but it seems there are still too many VLAN vulnerabilities, so we're 
using good old NICs instead.

It's a good idea to have the host on a separate network. However, what 
is really crucial is not to have the host's TCP/IP stack bound to any of 
the interfaces being used by VMs. Only the "VMware Bridging Protocol" 
should be on these interfaces; as far as the host's TCP/IP stack is 
concerned, these interfaces should not exist, period.

Paulo

-------- Original Message --------
From: Scott Myers <scott at paperstreettech dot com>
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] VMware based M0n0wall routing on the same server as 
a standard linux firewall... (recipe for disaster part 1?)
Date: 17-10-2006 17:36
> Working on a network where I need to include an additional routing 
> device in front of the firewall so I can route multiple public IPs to 
> machines behind this device.   I am wondering with the server I am 
> building if it would be a sound decision to use a VMware based machine 
> solution to this problem, where m0n0wall sits on the virtual machine 
> with it's own interfaces as well as the secondary machine behind it.
> I may try it to see what the results are, but just wondering if anyone 
> here has an opinion on the scenario. I have thought about security 
> concerns, (the core VM machine will be a non network accessible linux 
> based distro running selinux, and the vmmachine will not be routing 
> any addresses to the any virtual interfaces.  I will use multiple 
> ethernet ports/cards to satiate the 4-5 ports I would need to do this.
> Any thoughts/ banter/ ridicule is appreciated. :)
>
> Scott
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch