-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Blaster wrote:
| Darren Reed wrote:
|> FWIW, this version is zone-friendly for Solaris/OpenSolaris,
|> unlike 4.1.* is.
|>
|>
|
|
|
| I have several installations where I have done a two level firewall
arrangement using Ipfilter where an external facing hosts runs a web
server/FTP/mail/NAT, etc. Connected via crossover to another host
running Ipfilter that functions as the internal mail/DNS/Web/NFS/CIFS
server, etc.
| With the cost of computing power going down, and electricity going up,
it would be nice to put these two layers of security on to one system.
| My original thought was to run the external host in an xVM
environment. I would think this would provide the most separation
possible on a single box. But I am also wondering if a zone would
provide the same isolation? This would save the overhead of running xVM
and maintaining two separate copies of an OS (which of course has
advantages as well).
|
| So, how do others feel about the isolation of zones in OpenSolaris?
Are they strong enough? If I were to dedicate an interface to a zone to
communicate the the big Internet, could I use Ipfilter to firewall that,
then use Ipfilter again to isolate between a local and a global zone?
Yes, you can do that with OpenSolaris - or Solaris Express (SXCE) [if it
installs for you...]
You can'd do this with Solaris 10.
What you need to do, in this case, is create an etherstub and "attach" a
vnic from your internet zone to it and a vnic from your global zone to
it. Your internet zone them becomes your router and the etherstub acts
as a virtual switch.
The benefit, w.r.t Xen, is that there's no virtualised I/O, not even
paravirtualised.
It's not just the security of the system that you need to weigh up, but
also your DR solution (if appropriate) - if your firewall crashes, so
does everything else disappear and vice versa.
Darren
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkptWZ4ACgkQP7JIXtvLbFVSowCfQ1ct76k8GM5QfHF8qAkaYJ4a
0HIAniykGOpKOeSr9OZ9hEzK15RCo+NI
=hGMe
-----END PGP SIGNATURE-----
