> Possibly, yes. Here's why. You're not attacking an OpenBSD host. > > The hypervisor has a network stack that is engaged before any guest. > How else can you setup virtual switches, "attach interfaces", etc. > Assuming that stack is vulnerable in some fashion, you have the > opportunity to attack the guests from an entirely new angle. Moreover, > if your hypervisor is now compromised, why try to fight your way through > the network interface of the virtual firewall when you can attack the > firewall or other guests directly? Further, why even attack the guests > through their respective virtual network interfaces when you can poison > their virtual CPUs or other "hardware" devices? > > IMO, this is a kin to the blob problem for hardware, but on a larger > scale. Your guests, OpenBSD or otherwise, are entirely dependent on > another layer of software. In this case ESXi, which is not infallible. > > Does that explain it better? > > jim@ >
I'd certainly run native wherever 'fee'sable. However if it's a choice between a stripped down Linux KVM kernel running OpenBSD and a full blown Linux kernel server. I'd choose OpenBSD whilst worrying about other guests and the hosts drivers etc. For firewalling if it's protecting other non virtual hosts and/or has uncontrolled guests then you may be adding risk to them.
