On Sep 20, 2007, at 9:09 PM, Josh wrote:
Hello there.
We have a bunch of obsd firewalls, 8 at the moment, all working
nice and so forth. But we
need to add about another 4 in there for new connections and
networks, which means more
machines to find room for.
So basically I have been asked to investigate running all these
firewalls in two big boxes, with lots
of NIC's, with a bunch of openbsd vritual machines on them. One
main box for the primary firewalls,
one for the secondary. Each virtual machine getting its own
physical NIC.
Personally I dont really like the idea, I can see things going
wrong, lots of stuff balancing on a
guest os and box.
Can someone please inform me if this is a really bad idea or not,
ideally with some nice reasoning?
What type of throughput is required between each segment? If you've
been around here much, you've probably heard me espouse on the
benefits of VLANs. This is certainly more elegant and secure than
running a number of virtualized OpenBSD systems on non-OpenBSD
virtual host.
There's nothing wrong with running multiple firewalls where your
physical topology dictates it. Virtualizing numerous firewalls in
the same chassis just doesn't make sense.
---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
