On 24/07/07, Paulo Meireles <subscribe at exxpert dot com> wrote:
> I never used Xen, but the basics should be the same. With VMware Server
> I used Windows 2000 as the host (as it's "thinner" than XP) but you may
> use your favorite Linux distro - or BSD if you're using Xen. I recommend
> you to use a stripped-down installation, with only the bare minimum
> needed to run the virtualization layer (either VMware or Xen). Then,
> create virtual machines where you will install everything you need.
Yes, I'm also quite familiar with that and have used it in many instances.
> Keeping applications off the host and running everything in VMs makes
> hardware upgrades (and recovery) a piece of cake: just copy the virtual
> machines to a new host and power them up.
> As for networking, the trick is not to configure IP (or any other
> protocol) on the host's NICs exposed to the Internet. This way, it's
> almost as if the NIC does not exist and, while you can sometime attack
> what you can't see, you can't attack what is not there!
Ah, that makes sense.
I have read that there are claims that the VM layer can be hacked,
which allows and attacker to actually change the VM settings. Is this
a real threat? I mean, the VM firewall instance in theory is not as
secure as would be a dedicated firewall, right? On the other hand,
the difference in security is probably negligible.
> You may add an extra layer of security by not having IP on the LAN
> interface either, and have an isolated NIC configured specifically for
> managing the host; you may the connect to it from a laptop with a
> crossover cable or something alike.
> Hope it helps a bit, and good luck!
Thanks, it does!