I have done this - where the various firewall interfaces are bridged to
real, isolated nics, and to virtual internal networks that connect to VMs
with specific services.
The mistake is to think of VMware as an additional security measure. It can
be configured in a way to enforce a security architecture or policy - but is
not itself a mitigating factor.
It is a good way to partition a server for multiple Internet workloads -
SMTP Smarthost on one VM, SSL Webserver on another, WebMail server on a
third, and the firewall on a fourth. No one connects to the Internet except
through the firewall. No VM connects to another except through vnets that
the firewall enforces policy on.
At the cost of a couple of NICs, you can assign a specific DMZ to each of
these hosts - not a bad strategy, if clearly planned.
As a technology I view its use similarly to chrooted environments.
Policy-based isolation - but extending to the network, not just the
filesystem.
-- Jeremiah
--------------------------------------------------
From: "Terry" <td3201 (at) gmail (dot) com [email concealed]>
Sent: Thursday, May 08, 2008 12:37 PM
To: <firewalls (at) securityfocus (dot) com [email concealed]>
Subject: virtual firewalls -- compliance
> Hello all,
>
> I am throwing around the idea of using linux firewalls in vmware for
> customer environments. The customers may or may not have
> HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
> of you have experience heading down this route? PCIDSS doesn't
> explicitly state problems with virtual firewalls, it seems to focus on
> the logic of the rules.
>
> Thanks!
>
real, isolated nics, and to virtual internal networks that connect to VMs
with specific services.
The mistake is to think of VMware as an additional security measure. It can
be configured in a way to enforce a security architecture or policy - but is
not itself a mitigating factor.
It is a good way to partition a server for multiple Internet workloads -
SMTP Smarthost on one VM, SSL Webserver on another, WebMail server on a
third, and the firewall on a fourth. No one connects to the Internet except
through the firewall. No VM connects to another except through vnets that
the firewall enforces policy on.
At the cost of a couple of NICs, you can assign a specific DMZ to each of
these hosts - not a bad strategy, if clearly planned.
As a technology I view its use similarly to chrooted environments.
Policy-based isolation - but extending to the network, not just the
filesystem.
-- Jeremiah
--------------------------------------------------
From: "Terry" <td3201 (at) gmail (dot) com [email concealed]>
Sent: Thursday, May 08, 2008 12:37 PM
To: <firewalls (at) securityfocus (dot) com [email concealed]>
Subject: virtual firewalls -- compliance
> Hello all,
>
> I am throwing around the idea of using linux firewalls in vmware for
> customer environments. The customers may or may not have
> HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
> of you have experience heading down this route? PCIDSS doesn't
> explicitly state problems with virtual firewalls, it seems to focus on
> the logic of the rules.
>
> Thanks!
>
[ reply ]