[PLUG] Joe Jobbed

Dwight Hubbard dwight at dwightandamy.com
Tue Oct 9 17:34:24 UTC 2007


In the last few years when I built a box that was going to face the internet
I generally put each internet facing service in its own virtual machine.
The compartmentalization a VM offers made recovering a hacked server a hell
of a lot easier.  Also, since each VM only had one running service there
where only 2 real entry vectors, remote kernel exploits and the service the
VM was running (well, assuming the virtualization doesn't have some remote
exploits anyways).

I generally wouldn't run any network services on the physical machine which
left it accessible only via a remote access controller like a Dell Drac that
sat behind a VPN or physically going to the system.

I also found it a lot easier to upgrade applications because the VMs made it
easy to clone the existing machine and do the upgrade somewhere else.  Also
since the actual upgrade involved shutting down the old VM and bringing up
the upgraded one rolling back changes was fairly easy.

One other thing I experimented with was building VMs on mirrored disk luns
and having the physical machine split the mirror, fsck the filesystem and
run tripwire and chkrootkit on it.

Of course VMs aren't a replacement for good security practice, they are just
a useful tool.
-- 
Dwight Hubbard (RHCE)
dwight at dwighthubbard.com



More information about the PLUG mailing list