View Single Post
Old 3rd December 2008
windependence's Avatar
windependence windependence is offline
Real Name: Tim
Shell Scout
 
Join Date: May 2008
Location: Phoenix, Arizona
Posts: 116
Default

Quote:
Originally Posted by Oko View Post
This is my last post on the topic as I do not want to get into any kind of flame wars. People will do what
they want to do no matter what. If you want to run firewalls on the top of WM it is your choice.
It might be a good choice if you wan balance your desired level of security and cost of deployment.
A real good solution might be cost prohibitive.

Now back to my answer.
Let me para-phrase Theo De Raadt:"Running your crap on the top of somebody else crap is not going to make your crap any better". Any peace of code (even couple lines) is prone to bugs. Adding another layer between
your crappy OS (yes even OpenBSD is crap as well just far less than other Operating System) and a crappy PC machine (if nothing else sparc64 is at least less prone to buffer overflow) is not going to make you safer.

If OpenBSD which is debugged for more than 10 years now still have bugs
I can just imagine WMWare. When OpenBSD was firstly ported to Motorola 88000 new bugs were discovered on weekly basis. Some of them
were in BSD Unix for more than 20 years. I am sure WMware team have ported WMware on 10 different processor architectures like OpenBSD just to find the bugs. So how long did you run WMware on Motorola 68000 or 88 000 processors. How long have you run it on SGI Mips architecture?
Does it run flawlessly?
This makes me upset when I read it. Do you think that the banks, insurance companies, etc who run VMware are not concerned about security? (and there are a lot of them)

Read here

and here .

This is a clip from the VMware site:

Strengthen Security & Improve Reliability

VMware ESXi is the only hypervisor that does not incorporate or rely on a general-purpose operating system (OS), eliminating many common reliability issues and security vulnerabilities. The slim 32MB footprint of VMware ESXi is a fraction of the size of a general-purpose operating system, resulting in a smaller attack surface while minimizing the effort required for tasks such as security hardening, user access control, anti-virus and backup. In addition, integration into solid-state components inside a server enables diskless server configurations. This reduces hardware failure rates and decreases server power consumption.


Indeed, the small footprint makes it less of a target. I am not saying it's perfect. Even one of my favorite OSes, OpenBSD is not perfect, but I have several VM firewall implementations in production environments and I have found it actually easier to secure them due to the fact that I can create virtual networking to isolate traffic on different networks. I just installed a box very similar to the one the OP is thinking about using (it's a dual PIII Dell 2550). We run 2 pfsense firewalls on it, one for the general network and one for the mail server. I keep all the mail server traffic on a completely separate and different network so that if there is a virus outbreak on the LAN, the e-mail server is not affected and vice versa.

Of course, someone will always be able to take advantage of exploits if there is any, but considering that the DOD has certified Windoze, this is order of magnitude better than that situation. ESXI can also be run from a CF card or a thumb drive. We are going to start using dual CF cards and use the disks only for the VMS. That should be even more secure.

Finally, the Dell 2550 we put in didn't draw THAT much power, even with 5 SCSI drives. Of course, I'm not that politically correct either.

One thing I forgot to mention. SATA drives are not supported for VM storage unless you use certain controllers. Be careful. I built a $2,000 box only to find out I had to put the 2TB of storage in the SAN.

-Tim
__________________
www.windependence.org
Get your Windependence today!
Reply With Quote