On 21/09/2007, at 11:09 AM, Josh wrote:
Hello there.
We have a bunch of obsd firewalls, 8 at the moment, all working
nice and so forth. But we
need to add about another 4 in there for new connections and
networks, which means more
machines to find room for.
So basically I have been asked
Can someone please inform me if this is a really bad idea or not,
ideally with some nice reasoning?
Hi Josh,
VM is great and I use it a lot for test and development. It's a
marvellous tool. I also think it's very good to make virtual
web/ftp/whatever servers, it eases maintenance and add a
* Luca Corti [EMAIL PROTECTED] [2007-09-21 18:34]:
On Fri, 2007-09-21 at 10:52 -0400, Douglas A. Tutty wrote:
I don't understand the logic of having multiple firewalls on one box.
If one box can handle the throughput requirements of all the NICs, why
not just one big firewall?
Douglas A. Tutty wrote:
...
Hi Nick.
I understand your reasons. To me they look like reasons for separate
firewalls on separate boxes. In the scenarios you mention, would you
put separate firewalls on one machine?
That's where you are supposed to 1) recognize that my mysteriously
On Sat, Sep 22, 2007 at 10:53:05AM -0400, Nick Holland wrote:
Douglas A. Tutty wrote:
...
Hi Nick.
I understand your reasons. To me they look like reasons for separate
firewalls on separate boxes. In the scenarios you mention, would you
put separate firewalls on one machine?
On 22.09-02:06, Luca Corti wrote:
[ ... ]
We are talking about OpenBSD here, and support for VRF is not there.
That may change faster then you expect
These are great news. If the implementation will allow to assign
interfaces to different VRFs it would solve the virtual router/firewall
On Sat, 2007-09-22 at 22:50 +, [EMAIL PROTECTED] wrote:
i have a feeling that the funds currently available for your virtualisation
project would improve the quality and delivery of these requirements.
If I had such project and funds I'd certainly contribute. In the
meantime I have assigned
On 9/20/07, Nick Holland [EMAIL PROTECTED] wrote:
Read this:
http://advosys.ca/viewpoints/2007/04/fuzzing-virtual-machines/
Read the paper linked there as well. Always good to go back to original
source material.
Anyone who told you VM technology and security had anything to do with
each
Check out the HP c-Class BladeSystems offerings. It is sad that HP is
marketing it with virtualization via Vmware. Just disregard the vmware
affair.
On 9/21/07, Josh [EMAIL PROTECTED] wrote:
Hello there.
We have a bunch of obsd firewalls, 8 at the moment, all working nice and
so forth. But we
On 9/20/07, Nick Holland [EMAIL PROTECTED] wrote:
Can someone please inform me if this is a really bad idea or not,
ideally with some nice reasoning?
Cheers,
Josh
Read this:
http://advosys.ca/viewpoints/2007/04/fuzzing-virtual-machines/
Read the paper linked there as well.
Darren Spruell wrote:
On 9/20/07, Nick Holland [EMAIL PROTECTED] wrote:
Can someone please inform me if this is a really bad idea or not,
ideally with some nice reasoning?
Anyone who told you VM technology and security had anything to do with
each other was full of doo-doo.
I'll echo
Some commercial firewalls (i.e. Juniper/NetScreen ScreenOS-based gear)
have been offering virtual-systems for years now. I think the negative
comments received here may be appropriate when sharing the system with
non-secure guest OSs, but it seems that it might be alright if its
nothing but
It sounds to me like the comments here are largely appropriate,
virtualizing firewalls in the limited context that has been explained
probably isn't a real good idea...at least due to perceived load.
Additionally, if there are that many fireuwalls being ran, instead of
numerous interfaces in
On 9/21/07, Kent Watsen [EMAIL PROTECTED] wrote:
Some commercial firewalls (i.e. Juniper/NetScreen ScreenOS-based gear)
have been offering virtual-systems for years now. I think the negative
comments received here may be appropriate when sharing the system with
non-secure guest OSs, but it
On 9/21/07, Scott Wells [EMAIL PROTECTED] wrote:
However, I don't fully agree with the sentiment that running a firewall
in a virtual machine (let's be specific, VMWare ESX) guest environment.
I'm running my firewall on a ESX 3.0.2 guest, and it works perfectly
fine. That being said, you have
Josh wrote:
Hello there.
We have a bunch of obsd firewalls, 8 at the moment, all working nice
and so forth. But we
need to add about another 4 in there for new connections and
networks, which means more
machines to find room for.
So basically I have been asked to investigate running
Darren Spruell wrote:
At least in a traditional non-virtualized firewall model, the attacker
would have to pull out real exploits and attack real (secured)
services to compromise the firewall, and it wouldn't fall at the same
time as the other hosts.
Yes, these kinds of of flaws have (so far)
On Fri, 2007-09-21 at 10:52 -0400, Douglas A. Tutty wrote:
I don't understand the logic of having multiple firewalls on one box.
If one box can handle the throughput requirements of all the NICs, why
not just one big firewall?
Overlapping IP address space.
ciao
Luca
That's why god created competant network admins and NAT.
On 9/21/07, Luca Corti [EMAIL PROTECTED] wrote:
On Fri, 2007-09-21 at 10:52 -0400, Douglas A. Tutty wrote:
I don't understand the logic of having multiple firewalls on one box.
If one box can handle the throughput requirements of
On 2007/09/21 14:29, bofh wrote:
That's why god created competant network admins and NAT.
And VRF.
On 9/21/07, Darren Spruell [EMAIL PROTECTED] wrote:
Here's an entirely realistic scenario at this point:
- Administrator pays loads of money for VMware ESX; for better ROI, he
intends to replace several systems on the network with one big system
running a number of VMs. Maybe there is a full
On Fri, 2007-09-21 at 20:51 +0100, Stuart Henderson wrote:
On 2007/09/21 14:29, bofh wrote:
That's why god created competant network admins and NAT.
And VRF.
We are talking about OpenBSD here, and support for VRF is not there.
ciao
Luca
On Fri, 2007-09-21 at 14:29 -0500, bofh wrote:
That's why god created competant network admins and NAT.
You are not always in control of all things. Powerful technology is
about choice, not about one absolute right way. BTW, NAT sucks.
ciao
Luca
On Fri, Sep 21, 2007 at 11:16:37PM +0200, Luca Corti wrote:
On Fri, 2007-09-21 at 20:51 +0100, Stuart Henderson wrote:
On 2007/09/21 14:29, bofh wrote:
That's why god created competant network admins and NAT.
And VRF.
We are talking about OpenBSD here, and support for VRF is not there.
On 9/21/07, Claudio Jeker [EMAIL PROTECTED] wrote:
On Fri, Sep 21, 2007 at 11:16:37PM +0200, Luca Corti wrote:
On Fri, 2007-09-21 at 20:51 +0100, Stuart Henderson wrote:
On 2007/09/21 14:29, bofh wrote:
That's why god created competant network admins and NAT.
And VRF.
We are
On 9/20/07, Josh [EMAIL PROTECTED] wrote:
Hello there.
We have a bunch of obsd firewalls, 8 at the moment, all working nice and
so forth. But we
need to add about another 4 in there for new connections and networks,
which means more
machines to find room for.
So basically I have been
On Sat, 2007-09-22 at 00:34 +0200, Claudio Jeker wrote:
We are talking about OpenBSD here, and support for VRF is not there.
That may change faster then you expect
These are great news. If the implementation will allow to assign
interfaces to different VRFs it would solve the virtual
Douglas A. Tutty wrote:
...
I don't understand the logic of having multiple firewalls on one box.
If one box can handle the throughput requirements of all the NICs, why
not just one big firewall?
There are lots of places where multiple firewalls are better than a
single firewall. If one
On Fri, Sep 21, 2007 at 11:12:10PM -0400, [EMAIL PROTECTED] wrote:
Douglas A. Tutty wrote:
...
I don't understand the logic of having multiple firewalls on one box.
If one box can handle the throughput requirements of all the NICs, why
not just one big firewall?
There are lots of places
Hello there.
We have a bunch of obsd firewalls, 8 at the moment, all working nice and
so forth. But we
need to add about another 4 in there for new connections and networks,
which means more
machines to find room for.
So basically I have been asked to investigate running all these
firewalls
On Sep 20, 2007, at 9:09 PM, Josh wrote:
Hello there.
We have a bunch of obsd firewalls, 8 at the moment, all working
nice and so forth. But we
need to add about another 4 in there for new connections and
networks, which means more
machines to find room for.
So basically I have been
Josh wrote:
Hello there.
We have a bunch of obsd firewalls, 8 at the moment, all working nice and
so forth. But we
need to add about another 4 in there for new connections and networks,
which means more
machines to find room for.
So basically I have been asked to investigate running
On 9/20/07, Jason Dixon [EMAIL PROTECTED] wrote:
On Sep 20, 2007, at 9:09 PM, Josh wrote:
Can someone please inform me if this is a really bad idea or not,
ideally with some nice reasoning?
What type of throughput is required between each segment? If you've
been around here much, you've
On Sep 20, 2007, at 9:53 PM, bofh wrote:
On 9/20/07, Jason Dixon [EMAIL PROTECTED] wrote:
On Sep 20, 2007, at 9:09 PM, Josh wrote:
Can someone please inform me if this is a really bad idea or not,
ideally with some nice reasoning?
What type of throughput is required between each segment?
34 matches
Mail list logo