[BBLISA] Advice on a firewall Virtual Appliance
Edward Ned Harvey (bblisa4)
bblisa4 at nedharvey.com
Fri May 31 17:30:41 EDT 2013
> From: Matt Finnigan [mailto:mfinnigan at gmail.com]
>
> That's not a very compelling argument. I've been at firms that deployed VM-
> based security devices and passed audits.
Well, like I said, I do it myself too. But from a security standpoint, if you had the option of running a firewall on dedicated hardware as opposed to VM, the hypervisor and other guests on the same hardware can only introduce possible attack vectors. Not reduce them.
I know I've certainly seen situations where memory of one VM creeped into another VM, and stuff like that. So there *are* bugs that are potentially exploitable. Plus, no sane person could make a blanket statement that hypervisors are bug-free and un-exploitable. But if you're comfortable with the stability of any other VM running on that hypervisor, there's a good chance you'll be comfortable also, with running the firewall in there. I know, for most cases, I am comfortable with that.
More information about the bblisa
mailing list