--- Tracy R Reed <[EMAIL PROTECTED]> wrote:
> Randall Shimizu wrote: > > It's probablly not possible to isolate individual > vm > > instantiations with a hardware based firewall. I > am > > not so sure how feasible it would be with software > > based firewall. This is one reason why I believe > > switched crossbar architectures with addreissable > IP > > nodes are more secure. A lot of OS's are moving to > > this with end to end encryption. I have been > > disappointed that the x86 world has not moved in > this > > direction. > > I am not sure if it is proper netiquette to cc > different mailing lists > on a single posting these days since most lists > don't accept mail from > non-subscribers anymore. Sparc boxes use addressable ip's on their switched crossbar bus. I believe IBM uses ip's as well on their p-series boexes. On Sparc only the ip portion is used. > > Randall, I must admit that half the time I have no > clue what you are > talking about. What exactly would a switched > crossbar architecture with > addressable IP's do? Why is it more secure? What > OS's have moved to > this? Are you sure you are not confusing the memory > bus on architectures > like Sparc's or Alpha's which do use crossbar > switching with IP networking? > > >> MS Virtual Server allows you to assign unique MAC > >> addresses to each virtual > >> NIC. It is only by default that they are the > same. > > Most any virtualization software can do this. Xen > included. > Also, check this out to learn how firewalling with > Xen can work and be > secure: > > http://www.shorewall.net/XenMyWay.html > > >> They gave us their rule requests as if they were > >> separate machines, never > >> mentioning that they were VMs. Maybe they didn't > >> think it was a big deal. > > It really should not be a big deal. > > >> placed in different security zones. How the heck > do > >> you enforce that if they > >> are on the same hardware ?!?!?!?! Basically, if > you > >> hack one, you have them > >> all. I can't stick a FW between the VMs on the > same > > You can enforce it if you are using good > virtualization. Hacking one > definitely does not mean you have hacked them all. > Far from it. > > > >> OK, but you can't have > >> your Front DMZ (IIS boxes, external DNS, mail > >> relays, etc) and Back DMZ (SQL > >> backend) systems on the same hardware. That > defeats > >> the purpose of multiple > >> security zones. If you are big enough to need to > >> consolidate servers your > > Sure you can and not at all. > > -- > Tracy R Reed > http://copilotconsulting.com > 1-877-MY-COPILOT > > > -- > [email protected] > http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list > -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
