Terry wrote:
> Hello all,
>
> I am throwing around the idea of using linux firewalls in vmware for
> customer environments. The customers may or may not have
> HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
> of you have experience heading down this route? PCIDSS doesn't
> explicitly state problems with virtual firewalls, it seems to focus on
> the logic of the rules.
>
> Thanks!
>
I'm pretty sure that none of the aforementioned requirements explicitly
denies running your firewalls in virtualization. However, unless the
purpose of the firewall is strictly to manage the traffic in and out of
virtual servers on the same host the firewall is on, I would strongly
advocate not virtualizing your firewall.

Virtualization has obvious wonderful performance and cost benefits, but
placing your security devices into it has the potential to greatly
increase their exposure. There was an excellent presentation done at
last years SANSFire which demonstrated multiple ways to jump from a
virtual guest to the host...and therefore have the ability to do
anything you want to any guest on that system.

So unless this is for a lab environment, spend a few extra bucks and buy
hardware for your firewalls. You'll be glad you did.

[ reply ]