[ previous ] [ next ] [ threads ]
 From:  "Roland Giesler" <roland at thegreentree dot za dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall&virtualization
 Date:  Tue, 24 Jul 2007 17:18:54 +0200
On 24/07/07, Paulo Meireles <subscribe at exxpert dot com> wrote:
> I never used Xen, but the basics should be the same. With VMware Server
> I used Windows 2000 as the host (as it's "thinner" than XP) but you may
> use your favorite Linux distro - or BSD if you're using Xen. I recommend
> you to use a stripped-down installation, with only the bare minimum
> needed to run the virtualization layer (either VMware or Xen). Then,
> create virtual machines where you will install everything you need.

Yes, I'm also quite familiar with that and have used it in many instances.

> Keeping applications off the host and running everything in VMs makes
> hardware upgrades (and recovery) a piece of cake: just copy the virtual
> machines to a new host and power them up.

> As for networking, the trick is not to configure IP (or any other
> protocol) on the host's NICs exposed to the Internet. This way, it's
> almost as if the NIC does not exist and, while you can sometime attack
> what you can't see, you can't attack what is not there!
Ah, that makes sense.

I have read that there are claims that the VM layer can be hacked,
which allows and attacker to actually change the VM settings.  Is this
a real threat?  I mean, the VM firewall instance in theory is not as
secure as would be a dedicated firewall, right?  On the other hand,
the difference in security is probably negligible.

> You may add an extra layer of security by not having IP on the LAN
> interface either, and have an isolated NIC configured specifically for
> managing the host; you may the connect to it from a laptop with a
> crossover cable or something alike.
Good idea.

> Hope it helps a bit, and good luck!
Thanks, it does!