Dear David,
On Tue, 14 Nov 2000, David Brown wrote:
> I intend to put together a linux server for our company in the near future.
> It should support web servering, a database, email, internet proxy, and
> various other services. I also want it to run as the firewall for access to
> our broadband internet link (when we get it), but I have heard several
> people say that the firewall should be a seperate machine. Would it be
> feasable to use a plex86 virtual machine as a firewall and router? I gather
> from the website that plex86 is at least able to boot linux properly - could
> it then be used to isolate the firewall "machine" from the rest of the Linux
> box?
I think this would be a very bad idea. The main reasons for making the
firewall a spearate machine are:
1) Security. The firewall should absolutely not be compromisable. The
whole point of a firewall is to protect your vulnerable machines behind
it. If the firewall runs in a VM of any kind, then the host machine is
also on the Internet, and unprotected. Compromise of this machine would
allow the firewall to be bypassed completely (killall plex86).
2) Stability. Because your entire network uses the firewall for its
traffic, the firewall becomes a single point of failure, both for outgoing
connections (web access, e-mail etc). and for incoming connections
(proxing for your web servers, FTP servers, mail server, etc.). If the
firewall is running on a desktop user's machine, a machine running an
under-development kernel module (plex86), inside an under-development VM,
then it is not just likely to crash, it's almost guaranteed. Also, you
have to kill the VM (and hence the firewall) anytime you want to upgrade
plex86.
So I don't think it's a good idea to run your firewall, or any other
business-critical system, inside a VM of any kind, especially not yet
Plex86. No offence to Kevin & the other developers - plex86 is a brilliant
project, and the same problems apply to using any VM for your firewall
(including user-mode Linux).
Hope this helps,
Ciao, Chris.
___ __ _
/ __// / ,__(_)_ | Chris Wilson <[EMAIL PROTECTED]> | Phone: 01223 503 190 |
/ (_ / ,\/ _/ /_ \ | Tech Director - Caliday Project | RITC (Cambridge) Ltd |
\ _//_/_/_//_/___/ | Unix Systems & Network Engineer | Cambridge CB5 8LA UK |
