[ previous ] [ next ] [ threads ]
 
 From:  Michael Sierchio <kudzu at tenebras dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Why should one not use Monowall for production systems on a VM Platform
 Date:  Tue, 09 Sep 2008 10:18:58 -0700
Jeff Rhys-Jones wrote:

> However, on reading the manual - it could not be spelt out clearer, the 
> message is this: DO NOT USE IT FOR PRODUCTION!
> 
> What I would really like to know is - why?

Really?  Jeff, is there any software available that does not come with
a shrinkwrap license that says, in effect, "We know our marketing
literature says our product X is a Y, but you agree that we make
no representations whatsoever as to its fitness for use as a Y."

Disclaimers are pro forma.  Ignore them.

> Is it something to do with a fundamental issue - like performance - 
> security?
> 
> I have had a trawl through these lists and it seems that people *are* 
> using monowall on ESX - and it seems that from what most people say - 
> the main issue are issues / mis-configurations of  virtual switches.
> 
> If used as an additional layer of security (in a virtual data centre, 
> behind a dedicated firewall and providing better VM to VM segregation) - 
> would it hurt?
> 
> Or would it cause everything to fall to bits?

I have as much confidence in m0n0wall as I do Checkpoint.  No exaggeration.
It is not as featureful, but you can deploy many m0n0wall VMs for the
footprint, computational load and $$$ of a Checkpoint FW.

Anyway, I would not put any security VM into production unless I had
tested it in my dev and staging environments.  Fortunately, Xen and
ESX make this quite feasible.

Your experience is key -- there may not be enough people who have
already done what you propose to make it a mature field of endeavor.
In which case, we look forward to your report. Welcome to a world
of people no better than yourself!  Disappointing, isn't it?

I also want to say:

Manuel is at the top of a short list of people whom I would hire without
any hesitation.  Not only is m0n0wall technically innovative (XML-based
config?  now everyone will do it!), he has been a consummate professional
in the way he's handled the project, fielded complaints/RFEs/etc.

Cheers,

Michael