On Thu, 22 Mar 2007, Carric Dooley wrote:
> The only firewall virtualization I have seen is VSX, Crossbeam, and
> Shasta, but I don't know of any host-based solution per-se. Is there some
> issue I'm missing (since I have not tried this myself) installing some
> centrally managed host-based FW/IPS on VM's?
Well, first of all, with the machine to machine failover VM environments,
you can start to do interesting things with firewalling on the hosting OS
versus at a chokepoint in the network (so you get internal firewalling for
free, for instance.) But more interestingly you actually start to get
pseudo-out-of-band inspection and protection and with KVM, the ability to
add hosting OS tagging for compartments or layers.
Unless you really bozo the code, you're essentially able to move filtering
into the reference monitor layer and start to do really interesting MAC
stuff in a "central" location. If you're a NIDS kind of folk, you can do
all that NOOP sled detection on a commodity platform without adding new
hardware to your network and the same with firewalling- after all, if the
hosting OS isn't up you've got bigger problems.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
http://www.fluiditgroup.com/blog/pdr/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|