Randall Shimizu wrote: > It's probablly not possible to isolate individual vm > instantiations with a hardware based firewall. I am > not so sure how feasible it would be with software > based firewall. This is one reason why I believe > switched crossbar architectures with addreissable IP > nodes are more secure. A lot of OS's are moving to > this with end to end encryption. I have been > disappointed that the x86 world has not moved in this > direction.
I am not sure if it is proper netiquette to cc different mailing lists on a single posting these days since most lists don't accept mail from non-subscribers anymore. Randall, I must admit that half the time I have no clue what you are talking about. What exactly would a switched crossbar architecture with addressable IP's do? Why is it more secure? What OS's have moved to this? Are you sure you are not confusing the memory bus on architectures like Sparc's or Alpha's which do use crossbar switching with IP networking? >> MS Virtual Server allows you to assign unique MAC >> addresses to each virtual >> NIC. It is only by default that they are the same. Most any virtualization software can do this. Xen included. Also, check this out to learn how firewalling with Xen can work and be secure: http://www.shorewall.net/XenMyWay.html >> They gave us their rule requests as if they were >> separate machines, never >> mentioning that they were VMs. Maybe they didn't >> think it was a big deal. It really should not be a big deal. >> placed in different security zones. How the heck do >> you enforce that if they >> are on the same hardware ?!?!?!?! Basically, if you >> hack one, you have them >> all. I can't stick a FW between the VMs on the same You can enforce it if you are using good virtualization. Hacking one definitely does not mean you have hacked them all. Far from it. >> OK, but you can't have >> your Front DMZ (IIS boxes, external DNS, mail >> relays, etc) and Back DMZ (SQL >> backend) systems on the same hardware. That defeats >> the purpose of multiple >> security zones. If you are big enough to need to >> consolidate servers your Sure you can and not at all. -- Tracy R Reed http://copilotconsulting.com 1-877-MY-COPILOT -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
