|
|
Subscribe / Log in / New account

Is virtualisation a viable alternative to MAC ?

Is virtualisation a viable alternative to MAC ?

Posted Aug 1, 2010 0:22 UTC (Sun) by dlang (guest, #313)
In reply to: Is virtualisation a viable alternative to MAC ? by haradats
Parent article: AppArmor set to be merged for 2.6.36

I think that saying that virtualization is a nightmare for security is significantly overstating the problem.

I do think that the people who think that virtualization is the solution to all security problems are also drastically overstating the benefits and under estimating the risks.

to post comments

Is virtualisation a viable alternative to MAC ?

Posted Aug 1, 2010 0:31 UTC (Sun) by haradats (guest, #44782) [Link]

> I do think that the people who think that virtualization is the solution to all security problems are also drastically overstating the benefits and under estimating the risks.

Agreed.

Two things were in my mind when I wrote "a nightmare". While MAC tries to build up security from the bottom (TPM, boot, system call), guest OS can directly bound to the bottom. And the internal of guest OS can hardly observed (therefore confined) from the host (or hypervisor). However, "a nightmare" was too much as you suggested.

Is virtualisation a viable alternative to MAC ?

Posted Aug 1, 2010 19:56 UTC (Sun) by drag (guest, #31333) [Link]

I believe that to properly assess the advantages of virtualization and determine how appropriate it is for a orginization it's extremely important to have the correct attitude and approach to it.

Virtualization should be mostly thought of as a cost saving mechanism and that is about it. It's a abstraction you can to use to accomplish something cheaply that otherwise would take more resources, be more difficult, or cost more.

And actually you end up sacrificing security for that lower 'TCO'.

For example:

You want to isolate network services so that if one is hacked the other will still be secure. Traditionally you would simply have to purchase multiple machines to run each service. However that is expensive and uses lots of space... so what you can do is use virtualization to isolate each service on one machine while saving money.

In that case I am sure that everybody here would agree that running multiple services on multiple physical machines is going to provide higher security then running multiple services in multiple VMs on a single machine.

So hence your trading some security for lower cost.

So it's all about proper perspective and it makes it much easier to judge the proper use of virtualization then if you get sidetracked and start thinking about security advantages. Virtualization vendors need to concentrate on promoting their products through the discussion of cost saving measures, not sort of any illusionary security advantage.

------------

Similar problems happen when people start discussing file systems, raid, and backups.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds