LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-14-2008, 08:37 AM   #1
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Rep: Reputation: 15
Which virtualization solution when security matters ?


Hi all,

I know this topic is not directly linked to grsecurity.
However, it may interfere.

In the choice of KVM, Xen, Vserver, OpenVZ, QEMU, ... which virtualization solution would you choose when security matters ?

I don't know if one solution is providing more segregation between host and guest ?
Is one solution more robust when the guest has been conpromised ?

Thanks
 
Old 10-14-2008, 05:19 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,779
Blog Entries: 54

Rep: Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978
Not an answer but maybe this could help you start reading:
http://www.cs.nps.navy.mil/people/fa...nix00-0611.pdf
http://www.offensivecomputing.net/files/active/0/vm.pdf
http://www.vmware.com/security/advis...2007-0006.html
http://invisiblethings.org/papers.html

Last edited by unSpawn; 10-14-2008 at 05:26 PM. Reason: added link
 
Old 10-15-2008, 03:29 AM   #3
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
There is an argument from Green Hills http://www.ghs.com/products/rtos/integritypc.html that their hypervisor solution is architecturally better from the point of view of security. My opinion is that this argument may be true but, in the abscence of a developed infrastructure of hypervisor exploits it is impossible to say how significant this architectural detail is (compared, let's say, to implementation details).

In any case, you probably need to look at it, if security is your overriding concern.
 
Old 10-19-2008, 09:58 AM   #4
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
At first glance, Vserver sounds good.
It is about "security context".

Moreover, in addition to release their own vserver patch for Linux kernel, they release a "combo" patch:vserver+grsecurity.

Seems security is their point.
 
Old 10-21-2008, 03:01 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,779
Blog Entries: 54

Rep: Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978Reputation: 2978
Quote:
Originally Posted by PlatinumX View Post
It is about "security context". (..) Seems security is their point.
If you say it like that the phrase caveat emptor comes to mind. As you defined "advertised" as having "more segregation" and being "more robust" (just trying only to create enough doubt necessary for discussion) just because it says so on the package, what guarantees do you have that it "works as advertised"?.. (any CVE/NVD/OSVDB entries?)
 
Old 10-29-2008, 08:40 AM   #6
PlatinumX
Member
 
Registered: May 2008
Location: France
Distribution: Debian / Fedora / Gentoo
Posts: 178

Original Poster
Rep: Reputation: 15
You are right, I don't know about the quality of the implementation of Vserver.

But when you talk about the design itself, it seems Vserver takes the security (I mainly mean segregation of applications and network) well into account.

It is purely subjective, I agree.
But I am not able to find any contest between Vserver and OpenVZ (both are containers)clearly pointing the advantage and drawback of each other.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ideal Virtualization Solution for Core 2 Duo Queue Linux - Software 4 06-26-2007 09:47 PM
[SOLVED] Virtualization and Routers for Online Security MBA Whore Linux - Security 5 12-13-2006 03:01 PM
LXer: Leading Solution Providers Combine VMware and DataCore Solutions to Deliver 'Total Enterprise Virtualization' LXer Syndicated Linux News 0 11-21-2006 08:54 PM
LXer: Novell Introduces New Virtualization Solution Optimized for Intel Technology LXer Syndicated Linux News 0 09-25-2006 07:21 PM
LXer: Power-based Virtualization Receives Security Certification LXer Syndicated Linux News 0 08-02-2006 08:21 PM


All times are GMT -5. The time now is 04:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration