[SOLVED] Virtualization and Routers for Online Security

MBA Whore · 12-10-2006, 04:21 PM

Hi everyone,

I am about to jump into "virtualization" via VMware Server 1.0.1. I have read that each "virtualized" OS acts independently so if one goes it should not impact the others. My understanding is that a virtual guest OS, such as a virtual guest Win2k or virtual guest Linux, would still be vulnerable to the virus, etc that would impact a "real" Win2k or "real" linux.

This made a light bulb go on in my head, as well as a question mark. I believe every OS, real or virtual, should have firewall protection. I intend to have my host OS (Linux MEPIS) use VMware Server 1.0.1 to create 2 virtual guest OS (a. Win2k and b. 1 other Linux distro).

Thus, I would effectively have 3 OS in operation: My host (Linux MEPIS) and 2 virtual guest OS. Instead of messing with a firewall for each of the 3 OS, is it possible to simply buy a router to act as a firewall for all 3 OS, simultaneously?

If yes, then would the fact that one OS is "real" and two are "virtual" complicate router configuration or router effectiveness?

If no, then what are my options?

FYI: No wifi is involved, this is all "old fashion" wired broadband.

Thanks!

unSpawn · 12-11-2006, 07:03 AM

I believe every OS, real or virtual, should have firewall protection. (..)
Instead of messing with a firewall for each of the 3 OS
Here you're contradicting yourself. Anyway. Think "defense in depth".
Avoid single points of failure, allow multiple points of access control.
One firewall (device) good, more firewalls better.

chort · 12-11-2006, 11:57 AM

Firewalls are not only to protect "intenal" hosts from "external" attacks, but also to protect each internal host from the other. You still need firewalls on the virtual OSs to make sure the other hosts on the same network don't attack them. This drastically reduces the chances that one idiot user will cause your entire network to be infected.

MBA Whore · 12-11-2006, 06:04 PM

So I should have a separate firewall for each OS? For example, one for my host OS (Linux MEPIS) and one for a virtual guest Win2k or XP and one for a virtual guest linux some-random-distro?

I was always under the impression that running more than one firewall was a bad idea, like running more than one anti-virus was a bad idea. For example, if you buy and install a 3rd party firewall for XP, it is usually a good idea to turn off the firewall that comes with XP.

Does my impression not apply here, or is there more to it?

Thanks again.

chort · 12-11-2006, 07:52 PM

Quote:

Originally Posted by MBA Whore

So I should have a separate firewall for each OS? For example, one for my host OS (Linux MEPIS) and one for a virtual guest Win2k or XP and one for a virtual guest linux some-random-distro?

Yes, absolutely.

Quote:

I was always under the impression that running more than one firewall was a bad idea, like running more than one anti-virus was a bad idea. For example, if you buy and install a 3rd party firewall for XP, it is usually a good idea to turn off the firewall that comes with XP.

Does my impression not apply here, or is there more to it?

That's because running two programs that interact deeply with the kernel to do the same thing, at the same time, can have unpredictable results. That is inside a single OS, though. You're running 3 different OSs. Each one needs a firewall and they won't conflict with each other.

MBA Whore · 12-13-2006, 02:01 PM

Quote:

Originally Posted by chort

Yes, absolutely.

That's because running two programs that interact deeply with the kernel to do the same thing, at the same time, can have unpredictable results. That is inside a single OS, though. You're running 3 different OSs. Each one needs a firewall and they won't conflict with each other.

Thanks for the clarification.