[Gllug] Security from scratch or just stick with Astaro?

Nix nix at esperi.org.uk
Fri Apr 11 06:58:54 UTC 2008


On 8 Apr 2008, John Edwards uttered the following:
> Think about what happens to the packets. They arrive at the host
> system and are processed by it's TCP/IP stack. This has to pass it
> onto the VM system's virtual network interface, and then onto the
> guest OS (eg Linux running IPCop or Astaro).
>
> So you are still open to attacks on the host's TCP/IP stack and the
> VM system, in addition to the guest OS.

... and if they're running the same kernel version, that doesn't
increase your vulnerability surface much (the only increase I can see is
that any vulnerabilities in the guest tun driver could be exploited.
You're not going to be able to avoid running a driver for your physical
network card and TCP/IP stack *somewhere*.)

> And that assumes that the hosts is running no other services of guest
> VMs. Are you going to be running SSH to manage the host OS? If so that
> could be attacked.

Not if you firewall it off and have it listening only on an interface
bridged to your local net (as opposed to bridging to the outside world).
You can have more than one network interface, y'know :)

> A perimeter firewall is part of your network infrastructure and needs
> to be presented to incoming packets before they arrive at your
> network.

That's physically impossible, of course. Your perimeter firewall is
*part* of your network. Obviously services that you don't want exposed
past the firewall shouldn't be, well, exposed past the firewall...

> If the host system is already running other VMs or services and can
> not be a dedicated firewall, then I have a couple of spare old PCs
> that have run IPCop perfectly in the past that you are welcome to.

Oh yeah. More power consumption and noise. Just what I for one need.

-- 
`The rest is a tale of post and counter-post.' --- Ian Rawlings
                                                   describes USENET
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list