Douglas A. Tutty wrote: ... > Hi Nick. > > I understand your reasons. To me they look like reasons for separate > firewalls on separate boxes. In the scenarios you mention, would you > put separate firewalls on one machine?
That's where you are supposed to 1) recognize that my mysteriously mangled e-mail address is me and 2) Read back to my previous statement where I stated that I don't feel VM technology is suitable for externally exposed apps or security critical apps and 3) catch the implied sarcastic sneer in "If one believed in the idea of 'a perfect VM environment'" Yes, very separate is what I was recommending: no VM, keep them as separate as possible. When appropriate, of course. VMware and related technologies look cool, but it's an extra layer of complexity and security vulnerabilities. It is also a technology where the track record is "Coolness first, security when they catch us with our pants down". It is also something that is rarely done properly (for my definition of "properly"), but that's a different discussion for a different list. Nick.