Well, it's not NEW news per se. VM software has never been risk-free--no software is. And as far as "between" VMs, well, there is a big VMware market for software that acts as a sentry between VMs to watch for problems and attacks. Funny, eh?
Didn't EMC or someone just buy one of those smaller VM security vendors up? I think so. -- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Author, "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices Identity Management, LDAP, and Linux Integration Fernando Vilas wrote: > On Saturday 22 September 2007 21:15:00 Dustin Puryear wrote: >> We push VMware, so this hits us too: >> >> http://www.forbes.com/security/2007/09/21/virtualization-software-security- >> tech-security_cx_ag_0921vmware.html >> >> How risky is putting all of your eggs into one basket? > > One of the main selling points of virtualization is the idea that a VM can't > get to the host, so the host should never be at risk. We've been dealing > with Solaris Containers (zones) a lot lately at work, and they market them > the same way. Solaris Containers are based on the BSD jail model, and are > Common Criteria certified to a pretty advanced level. > > What I found really interesting the last time I did a BIND upgrade was that > the docs now say that on a Linux box, it is less secure to run named in a > chroot jail than to let it run as a non-root user and load the capability > kernel module so that it can drop privs when it doesn't need them. They > claim that this is due to something in chroot jails not playing nice with > named. > > To VMWare's credit their representative acknowledges that this is an issue > with software in general and advises keeping up to date on the patches. I > wonder how news like this will affect other virtualization platforms like Xen > and KVM going forward. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net
