Need Advice on Routers
Dale Farnsworth
dale at farnsworth.org
Tue Apr 28 09:07:57 MST 2009
Eric Shubert wrote:
> Alex Dean wrote:
> >
> > On Apr 27, 2009, at 1:24 PM, Eric Shubert wrote:
> >
> >> Mark,
> >>
> >> I have a couple old e-machines that I made into IPCop firewall/routers,
> >> and have been decommissioned for a while (they were virtualized).
> >
> > Do you mean you virtualized your firewall?
>
> Yep.
>
> > Doesn't that create a risk
> > that other VMs on the same hardware host might be exposed to nasty stuff
> > which arrives at the firewall?
>
> I don't think so. The VM host isn't addressable/accessible on the
> outside/red interface. The only thing that 'sees' outside traffic is the
> IPCop VM.
>
> I could be wrong, but it appears safe enough to me.
It is only as safe as VMware is secure. If code can break out of a
VM and begin running on the host, all bets are off.
As Ken Thompson pointed out in "Reflections on Trusting Truse", you
already have to trust everyone who developed the hardware, firmware
and software you are running. Running in a virtual machine instead
of on bare hardware means you have to also trust the developers of
the VM host (hypervisor) software.
I'm not saying that it isn't worth it; I use VMs every day.
-Dale
More information about the PLUG-discuss
mailing list