--- Dustin Puryear <[EMAIL PROTECTED]> wrote:
> ----- Original Message -----
> From: "Tim Fournet" <[EMAIL PROTECTED]>
>
> > Dustin Puryear wrote
> > >server. This would allow him to compromise all of
> the virtual servers.
> > >Basically, using VM could mean putting all of
> your eggs in one basket.
> > >
> > >
> > How? From what I've seen, the guest OS doesn't
> even know it's not on a
> > real computer. The closest danger I could see
> would be if the guest OS
> > gets compromised, the attacker could use the
> network transport to get to
> > other machines, but that's no different than a
> physical box.
>
> Tim, I'm surprised at you. No software is
> invincible. It's only a matter of
> time until someone finds some odd combination of
> machine instructions
> running in the guest OS (or something) that will
> exploit a vulnerability in
> the VMware virtual machine software itself. (Then
> again, the exploit may be
> done in a way that I can't even imagine. Who knows?)
> Sure, the VMware
> development team is smart, but they aren't that
> smart!
>
> The question is: Does running something like VMware
> expose you to more risk
> in the long-run or less?
IMO, it exposes you to more risk, for the simple
reason that it adds complexity to the system. As you
have pointed out, no software is perfect. Software is
an expression of logic by humans; humans are by nature
goofy, ergo software is not perfect.
But of course, the risks are weighed against the
benefits. Obviously it depends on the case where it is
being used. I assume that most organizations use VMs
in the "soft underbelly" of their networks;
internally. I therefore assume that the reverse is not
true; organizations wouldn't use VMs on a server on
the edge of the network, like a webserver.
Maybe I can frame your question in another way: Does
using a VM provide more security by adding layers of
restriction? Again, I would say no, for the reason you
have already mentioned. IMO, if the VM is not open
source, it is less secure at least because it is not
open to peer review. A closed source VM would require
me to have faith in the software publisher's security
programming efforts, and I don't feel as comfortable
with that.
John Hebert
__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html
