[ previous ] [ next ] [ threads ]
 From:  "Quark IT - Hilton Travis" <Hilton at QuarkIT dot com dot au>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Why should one not use Monowall for production systems on a VM Platform
 Date:  Wed, 17 Sep 2008 09:15:49 +1000
> -----Original Message-----
> From: Chris Buechler [mailto:cbuechler at gmail dot com]
> Sent: Wednesday, 10 September 2008 7:47 AM
> On Tue, Sep 9, 2008 at 12:48 PM, Jeff Rhys-Jones
> <jeff at acc dash international dot co dot uk> wrote:
> > I have taken a good look at Monowall and think it's a great 
> > bit of coding. Monowall has a very small OS footprint, and 
> > is therefore idea to run in virtual environments.
> >
> > Initially I was very excited about the VMWare version of 
> > Monowall, as I can see a clear need for people to use 
> > Firewall VM appliances. It's a hot topic right now.
> >
> > However, on reading the manual - it could not be spelt out 
> > clearer, the message is this: DO NOT USE IT FOR PRODUCTION!
> >
> > What I would really like to know is - why?
> >
> That's a little strongly worded (I wrote it), I'll have to expand that
> section with further clarification. The primary reason for the strong
> wording is so people don't do stupid things, like use VMware
> Workstation or Player on their PC as a production firewall. That
> leaves you open to configuration mistakes leaving your PC wide open on
> the Internet.
> With ESX it's much less of a concern, though that depends on the
> environment. In high security environments I would never recommend
> mixing VMs or networks of differing trust levels on the same server,
> whether ESX or any other hypervisor. Given the very good security
> track record of ESX, I wouldn't hesitate to run even your perimeter
> Internet firewall in ESX in many environments.
> -Chris

Hi Chris,

One way to alleviate *some* of these concerns is to use a physical NIC
in the ESX Server that is disabled in all operating systems and only
enabled as the WAN connection for the m0n0wall VM.  That way nothing
else is talking to it except the outside of the m0n0wall image.  It may
not be foolproof, but it sure is idiot resistant!  :)

I also agree with your differing trust levels comment, however in our
end of the world (SMB) there's not often a lot of physical room for
servers, and if there is, there's sure not the budget for them, so we
have to, at times, do things that we'd rather not do had we been given
the resources we'd like to have for a project.  This is where I can see
a VM of m0n0wall being extremely effective.




Hilton Travis                       Phone: +61 (0)7 3105 9101
(Brisbane, Australia)               Phone: +61 (0)419 792 394
Manager, Quark IT                   http://www.quarkit.com.au
         Quark Group                http://www.quarkgroup.com.au

     Microsoft SBSC PAL (Australia) http://www.sbscpal.com/

War doesn't determine who is right.  War determines who is left.

This document and any attachments are for the intended recipient 
  only.  It may contain confidential, privileged or copyright 
     material which must not be disclosed or distributed.

                    Quark Group Pty. Ltd.
      T/A Quark Automation, Quark AudioVisual, Quark IT