It's probablly not possible to isolate individual vm instantiations with a hardware based firewall. I am not so sure how feasible it would be with software based firewall. This is one reason why I believe switched crossbar architectures with addreissable IP nodes are more secure. A lot of OS's are moving to this with end to end encryption. I have been disappointed that the x86 world has not moved in this direction.
--- Rick Joyce <[EMAIL PROTECTED]> wrote: > MS Virtual Server allows you to assign unique MAC > addresses to each virtual > NIC. It is only by default that they are the same. > > > Rick Joyce > JNet Services > (760) 271-6528 > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Michael J McCafferty > Sent: Monday, April 03, 2006 11:18 PM > To: San Diego Windows 2003 User Group > Subject: RE: [sdw2003] Virtual Server 2005 R2 now > available as free > download..? > > > Interestingly, I just recently ran into a real > production environment > running several systems in Virtual Machines on the > same hardware, for a very > very large company. We were doing a firewall with > several separate security > zones for this customer, thousands of miles away. > Everything was fine until one of our guys noticed > that the MAC address of > several "machines" were the same ! All along the > server admins were letting > us think these systems were discrete systems. > They gave us their rule requests as if they were > separate machines, never > mentioning that they were VMs. Maybe they didn't > think it was a big deal. > > Several of the systems, in different VMs on the same > hardware, were to be > placed in different security zones. How the heck do > you enforce that if they > are on the same hardware ?!?!?!?! Basically, if you > hack one, you have them > all. I can't stick a FW between the VMs on the same > machine. I am not sure > how we will solve this problem yet. I guess my point > is that there are > security issues with VMs on the same hardware. > Similar systems (ie: all > Front DMZ systems) on a single piece of hardware is > OK, but you can't have > your Front DMZ (IIS boxes, external DNS, mail > relays, etc) and Back DMZ (SQL > backend) systems on the same hardware. That defeats > the purpose of multiple > security zones. If you are big enough to need to > consolidate servers your > are probably big enough to want multiple security > zones. > > *sigh* > > Mike > > > > At 08:35 PM 4/3/2006, you wrote: > >There are a number of different purposes: > > > >Though you get the basic principle - the ability to > run lots of > >isolated systems on one physical box (the only > requirement is to have > >the RAM and disk space necessary). > > > >Virtualization started (primarily) with test > systems. Once it worked > >so well there, it moved into production. > > > >At my last job, there were 4 or 5 servers when I > started at HQ, and 3 > >years later we had over 10. Almost all of them > (including Exchange and > >SQL) were very little utilized. We could easily > have consolidated into > >3 servers or so, then had spare equipment for test > and/or DR, which > >there wasn't when I left. > > > >Disaster recovery is another reason. > > Being at to restore multiple servers onto one > minimizes resource > >needs, and therefore power, HVAC, etc. > > > >Backup of a VM is a matter of copying a single > file. Moving a server > >onto another physical box is a matter of copying > the file (no > >re-install, etc.) The beauty is the 'computer' > (virtual machine) no > >longer being tied to physical hardware (for the > most part). > > > >Personally, my main email/browser PC is now a VM. > I can copy it to a > >laptop, etc as needed. Buy a new faster PC, copy > over VM. Great time > >saver. > > > >For the test environment, a beauty of a VM is the > 'undo' ability. Try > >something until it breaks, click restore/undo, and > a few seconds later > >you are back to an earlier state. Saves a LOT of > time in re-imaging. > > > >In production, presuming low utilization (most > servers sit at 1-10% CPU > >usage, and low disk I/O), you can easily set up new > servers, with > >requiring space, power etc of a physical box. > > > >For those who have tried Virtual PC/Server, and > been disappointed with > >the disk I/O, and made conclusions about real-world > applicability due > >to low performance, I recommend that you withhold > judgment until you > >try other products. Also, regardless of product > running the guest VMs > >on separate physical disk(s) than the host OS makes > a large difference. > >Want really fast VMs on the cheap - run them on the > WD Raptor 10k RPM > >SATA drives (lots of Internet deals at the moment) > > > >For those interested in trying VM stuff out: > >MS has the new free download > >MS has its Subscription Pak for $299 with LOTS of > s/w > >https://partner.microsoft.com/40009735 > >VMware VMTN subscription includes most of their > software > >http://www.vmware.com/products/vmtn/ > > including ESX server > > With VMplayer (free) you can do most everything > (but not all) you can > >do with Workstation 5.x > > the one big downside was not being able to > create a VM, but > >you can do that with the free Beta of VM server > > > >I've been playing with ESX server on a dual Opteron > HP DL385 - truly > >amazing. > > > > > >-----Original Message----- > >From: Charles R. Buchanan Sent: Monday, April 03, > 2006 5:25 PM > >To: [EMAIL PROTECTED] > >Subject: Re: [sdw2003] Virtual Server 2005 R2 now > available as free > >download..? > > > >I guess this would a good time for a question on > this subject. What is > >the "main" purpose of a virtual server? I have been > playing with VMWare > >and right now I have SuSe Linux, W2KAS and W2k3 R2 > installed on it. As > >far as being able to do this under XP is cool in > itself, but as far as > >being able to join a domain (on another computer) > seems to be a problem. > >(for me) I know I'm probably doing something > wrong, but I'm just > >looking at this as part of a learning experience > type of thing. > > > > > >On Mon, 3 Apr 2006 16:59:43 -0700, "Tony Su" > <[EMAIL PROTECTED]> > >took time to say the following: > > > >TS> That's pretty interesting. > >TS> > >TS> I wonder how much of this might be in response > to VMWare's free > >TS> "VMWare Server" download, the free VMWare > Player and the fast > >TS> progress being made in *NIX Xen. > >TS> > >TS> It's a matter of opinion, but it could be that > MS was looking at > >TS> losing the war on virtualization while asleep > at the wheel. > >TS> Virtualization is a far-ranging technology too > important to lose > >TS> even today when it's in its infancy. It'll be > one === message truncated === -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
