[RndTbl] UNS: Re: firewall/router in a VM

Tim Lavoie tim at fractaldragon.net
Fri Feb 19 19:47:35 CST 2010 

Adam Thompson <athompso at athompso.net> wrote:

> [snip]
> 
> Personally, I trust VM programmers to get patches out quickly, and I
> trust the paranoiacs to blatt about news of any new compromise, enough
> to be willing to do the sort of thing you're talking about.
> 
> (Having said that, although I'm *willing* to, I will note that I
> *don't* do so in real life.)
> 
> The one aspect to it, though, is that compromise of the hypervisor
> essentially means instant, complete, utter, irreversible compromise of
> *all* the VMs (including non-running disk images!) that server has
> direct access to.  That is a little bit worrisome.

I think the salient point here is that you can do these things, if
you're willing to do them in an intelligent fashion. So, you monitor the
host like you would monitor the guest you care most about, and avoid
exposing the host unnecessarily. Also, keep that "everything exposed if
any one piece is" idea in mind when deciding what may work well together
on one physical host.

On that *other* topic, compliance issues concerned with things like PCI
at least help drive home the need for some wide-ranging security efforts
to the business folks, because it is tied to how they make their
money. Anyone believing that compliance will eliminate the possibility
of a breach should be corrected ASAP, but making an effort means that
the business is more likely to know they got owned, and understand that
they need to do something about it. In the interest of disclosure, I
should mention that I am a QSA.... probably a pain in the ass for those
needing help, but hopefully neither clueless nor evil. Well, the lesser
evil anyway. Nobody likes being told they can't do something. <grin>

  Cheers,
  Tim

-- 
Believe it or not, there is a reason Lisp code looks so strange. Lisp
doesn't look this way because it was designed by a bunch of
pointy-headed academics. It was designed by pointy-headed academics,
but they had hard-headed engineering reasons for making the syntax
look so strange.  - Paul Graham

More information about the Roundtable mailing list