[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Purpose of a hypervisor (was Re: rock solid)

On Tue, Jul 03, 2007 at 10:00:35PM -0400, Douglas Allan Tutty wrote:
> On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote:
> > On 07/03/07 13:25, Andrew Sackville-West wrote:
>  >
> > >Dom0: local file server (video, music, local backups)
> > >
> > >     DomU1: firewall
> > 
> > I understand the need for a small, "separate" firewall.
> > 
> Does this really give any more security than running the firewall as a
> regular part of the main box?  Is it as secure as a separate old
> computer?  These three (plus I suppose a commercial hardware firewall)
> seem to be the choices.  How do they compare for security?

I don't really know, but the following things occur to me:

1. its seperate and distinct, serves only one purpose, and thus is
less likely to have vulnerabilities. A seperate firewall machine has
so few packages installed, that it is more secure just because it has
fewer possible vulnerabilities. 

2. the seperate machine, if it falls to some attack, is a seperate
machine. That means there is one more step to be taken to get to some
damaging location. Granted, once you're past the firewall, its a
pretty simple step. This assumes that its the firewall that gets
cracked and not some other machine behind the firewall that gets

I don't think there is anything wrong with a debian machine on the net
with its local firewall as the only thing protecting it. But I think
if you want anything more sophisticated, some sort of seperate device
is the way to go. 


Attachment: signature.asc
Description: Digital signature

Reply to: