LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-10-2006, 04:21 PM   #1
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 649

Rep: Reputation: 30
Question Virtualization and Routers for Online Security


Hi everyone,

I am about to jump into "virtualization" via VMware Server 1.0.1. I have read that each "virtualized" OS acts independently so if one goes it should not impact the others. My understanding is that a virtual guest OS, such as a virtual guest Win2k or virtual guest Linux, would still be vulnerable to the virus, etc that would impact a "real" Win2k or "real" linux.

This made a light bulb go on in my head, as well as a question mark. I believe every OS, real or virtual, should have firewall protection. I intend to have my host OS (Linux MEPIS) use VMware Server 1.0.1 to create 2 virtual guest OS (a. Win2k and b. 1 other Linux distro).

Thus, I would effectively have 3 OS in operation: My host (Linux MEPIS) and 2 virtual guest OS. Instead of messing with a firewall for each of the 3 OS, is it possible to simply buy a router to act as a firewall for all 3 OS, simultaneously?

If yes, then would the fact that one OS is "real" and two are "virtual" complicate router configuration or router effectiveness?

If no, then what are my options?

FYI: No wifi is involved, this is all "old fashion" wired broadband.

Thanks!
 
Old 12-11-2006, 07:03 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I believe every OS, real or virtual, should have firewall protection. (..)
Instead of messing with a firewall for each of the 3 OS
Here you're contradicting yourself. Anyway. Think "defense in depth".
Avoid single points of failure, allow multiple points of access control.
One firewall (device) good, more firewalls better.
 
Old 12-11-2006, 11:57 AM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Firewalls are not only to protect "intenal" hosts from "external" attacks, but also to protect each internal host from the other. You still need firewalls on the virtual OSs to make sure the other hosts on the same network don't attack them. This drastically reduces the chances that one idiot user will cause your entire network to be infected.
 
Old 12-11-2006, 06:04 PM   #4
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 649

Original Poster
Rep: Reputation: 30
So I should

So I should have a separate firewall for each OS? For example, one for my host OS (Linux MEPIS) and one for a virtual guest Win2k or XP and one for a virtual guest linux some-random-distro?

I was always under the impression that running more than one firewall was a bad idea, like running more than one anti-virus was a bad idea. For example, if you buy and install a 3rd party firewall for XP, it is usually a good idea to turn off the firewall that comes with XP.

Does my impression not apply here, or is there more to it?

Thanks again.
 
Old 12-11-2006, 07:52 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Quote:
Originally Posted by MBA Whore
So I should have a separate firewall for each OS? For example, one for my host OS (Linux MEPIS) and one for a virtual guest Win2k or XP and one for a virtual guest linux some-random-distro?
Yes, absolutely.

Quote:
I was always under the impression that running more than one firewall was a bad idea, like running more than one anti-virus was a bad idea. For example, if you buy and install a 3rd party firewall for XP, it is usually a good idea to turn off the firewall that comes with XP.

Does my impression not apply here, or is there more to it?
That's because running two programs that interact deeply with the kernel to do the same thing, at the same time, can have unpredictable results. That is inside a single OS, though. You're running 3 different OSs. Each one needs a firewall and they won't conflict with each other.
 
Old 12-13-2006, 02:01 PM   #6
MBA Whore
Member
 
Registered: May 2006
Location: Kansas City, MO
Distribution: Various: pclos, Debian, Ubuntu, etc . . .
Posts: 649

Original Poster
Rep: Reputation: 30
Thanks for the

Quote:
Originally Posted by chort
Yes, absolutely.



That's because running two programs that interact deeply with the kernel to do the same thing, at the same time, can have unpredictable results. That is inside a single OS, though. You're running 3 different OSs. Each one needs a firewall and they won't conflict with each other.

Thanks for the clarification.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Power-based Virtualization Receives Security Certification LXer Syndicated Linux News 0 08-02-2006 07:21 PM
LXer: Ibm Gets High Security Marks for Mainframe, Unix Virtualization LXer Syndicated Linux News 0 07-21-2006 02:21 AM
routers as a security measure cylarz Linux - Security 4 04-24-2006 12:20 PM
Online banking security issues Cogar Linux - Security 1 11-03-2005 12:50 PM
PHLAK Security Documentation Online? zsejk Linux - Security 6 06-01-2004 01:14 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration