I may be old fashioned, but for me (and the environment I admin) firewalls need to be dedicated systems, running on dedicated hardware with discreet physical network interfaces. While I'm all for virtualization of application servers, in a security role I can't support the concept of a security device sharing it's hardware with any other applications in a production environment, as the benefits (space, power, hvac, cost savings, etc) are outweighed by the additional possible attack vectors that would be introduced by the host system and neighboring VM's. Also, while I am not aware of any specific reference to this in the various regulatory requirements, one of the questions asked of me in a recent HIPAA audit was something to the effect of "do any of your network perimeter devices serve any purpose other than that of security and access control?"

Just my opinion though :-)

Cheers!

Ron

>>> Terry <td3201 (at) gmail (dot) com [email concealed]> 5/8/2008 3:37 PM >>>
Hello all,

I am throwing around the idea of using linux firewalls in vmware for
customer environments. The customers may or may not have
HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
of you have experience heading down this route? PCIDSS doesn't
explicitly state problems with virtual firewalls, it seems to focus on
the logic of the rules.

Thanks!

CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the use of the intended recipient(s) only and may contain information that is privileged, confidential, and prohibited from unauthorized disclosure under applicable law. If you are not the intended recipient of this message, any dissemination, distribution, or copying of this message is strictly prohibited. If you received this message in error, please notify the sender by reply email and destroy all copies of the original message and attachments.

[ reply ]