Josh wrote: > Hello there. > > We have a bunch of obsd firewalls, 8 at the moment, all working nice and > so forth. But we > need to add about another 4 in there for new connections and networks, > which means more > machines to find room for. > > So basically I have been asked to investigate running all these > firewalls in two big boxes, with lots > of NIC's, with a bunch of openbsd vritual machines on them. One main box > for the primary firewalls, > one for the secondary. Each virtual machine getting its own physical NIC. > > Personally I dont really like the idea, I can see things going wrong, > lots of stuff balancing on a > guest os and box. > > Can someone please inform me if this is a really bad idea or not, > ideally with some nice reasoning? > > > Cheers, > Josh
Read this: http://advosys.ca/viewpoints/2007/04/fuzzing-virtual-machines/ Read the paper linked there as well. Always good to go back to original source material. Anyone who told you VM technology and security had anything to do with each other was full of doo-doo. After reading that, I'd not want to put any "externally exposed" apps on a VM system. Granted, OpenBSD might not be the best entry point for a VM attack, but the foundation VM design is based on isn't as solid as people think. Nick.