At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote:
> Anything we can do to increase security, *including* setting up VMs (of
any
> flavor) is an improvement [that also increased hardware utilization].
This last sentence is such a lie.
That depends on your viewpoint. There certainly may be some issues at the
OS level (which have been mentioned previously), however the majority of VM
applications benefit from security *isolation*, which has nothing to do
with security issues of the underlying OS, and that was the viewpoint I was
communicating.
For example, say you have three departments within a company: Marketing,
Development, Production. Allowing each department to maintain their own
server instance allows each department to have their own users, home
directory configuration, samba (possibly) network config & authorization,
separate file/print sharing domain, etc.
That is simple not doable with a single OS, yet with a reasonable priced of
h/w all can be maintained on one platform.
The security benefits are at the application level, *NOT* at the OS level.
If people were saying:
"Yes, it increased hardware utilization, and the nasty
security impact might be low"
it would be fine.
But instead we have many uneducated people saying:
"Yes, it increased hardware utilization, and it improved security
too".
And that's complete and utter bullshit.
Perhaps more correctly:
"Yes, it increased hardware utilization, and it improves
security/isolation between different work domains"
However few outside this community would have any comprehension of the
difference.
Lee
