On Wed, 24 Oct 2007, Theo de Raadt wrote:
> > At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote:
> >
> > > > Anything we can do to increase security, *including* setting up VMs (of
> > > any
> > > > flavor) is an improvement [that also increased hardware utilization].
> > >
> > >This last sentence is such a lie.
> >
> > That depends on your viewpoint. There certainly may be some issues at the
> > OS level (which have been mentioned previously), however the majority of VM
> > applications benefit from security *isolation*, which has nothing to do
> > with security issues of the underlying OS, and that was the viewpoint I was
> > communicating.
>
> The ends justify the means, even if the means don't actually perform as
> you declare?
>
Huh? What does circular logic have to do with a simple statement? Running
different application domains on separate VMs provides isolation BETWEEN
those application domains. That's security by anyone's definition.
The fact is that the OS level security is *separate*, and could be an
issue has nothing to do with the point I'm making.
What if the client OS were Windoze? The security of that OS is crap, and
we all know it. Any sane sysadmin will have a good firewall in front of
that machine, whether it's running in a VM or on separate hardware.
What if the client OS were Linux with AppArmor? SE Linux is a BIG
improvement over regular Linux, and WAY more secure than ANY product from
Redmond.
Certainly there is a small, compount risk increase due to multiple OS
images involved, but the OS images must be analyzed independently FIRST,
and THOSE risks addressed.
**IF** OBSD were available as a host OS, that would be good security. If
not, then security issues compound due to multiple guest OSs and each set
of inherent vulnerabilities.
No matter how you twist the logic, however, a VM provides a good level of
application domain security, from the standpoint that each set of domain
users and applications can only see the services provided within that
domain guest OS.
Lee
================================================
Leland V. Lammert [EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
================================================
