On 2010-11-23, at 6:38 AM, carlopmart wrote:
> Hi all,
>
> First of all, I don't want to start a flame. I will to know your opinion
about using virtual firewalls in virtual infraestructures like vmware, kvm
,xen, etc ... like OpenBSD.
>
> Advantages are very clear for me: provisioning, administration tasks, etc
... But I will to know disadvantages. What is your opinion from the point of
view of security?
>
> Thanks.
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
I am not a fan of using VMs for firewall infrastructure even though I like
VMs for software development/testing/staging purposes.
1) With regards to provisioning there are lots of complexities you end up
dealing with if you are in a highly available network. I could not find simple
solutions for obvious issues -- especially solutions that could be delegated
in an idiot-proof manner. In addition, when firewalls and proxies and load
balancers are on real boxes, it is easier to see where network cables are
coming from and which switches and patch panels they are going to. When hosted
on VMs stuff does happen :)
2) Administration tasks work OK when the VM is running properly and all
components are "certified". But it was very difficult to get practical advice
from vendors when I had issues running OpenBSD.
I feel it is more secure to run OpenBSD on real hardware than as a VM guest
because with real hardware you only need to restrict physical access and
OpenBSD can take care of the rest. With virtualization, you end up having to
learn a lot more about the VM environment and that knowledge seems to be very
fleeting. Installing OpenBSD firewalls on top of that "moving" structure may
still protect you but to me it makes everything needlessly complicated.
Vijay Sankar
vsan...@foretell.ca
