Huh? What does circular logic have to do with a simple statement? Running
different application domains on separate VMs provides isolation BETWEEN
those application domains. That's security by anyone's definition.
The fact is that the OS level security is *separate*, and could be an
issue has nothing to do with the point I'm making.
What if the client OS were Windoze? The security of that OS is crap, and
we all know it. Any sane sysadmin will have a good firewall in front of
that machine, whether it's running in a VM or on separate hardware.
What if the client OS were Linux with AppArmor? SE Linux is a BIG
improvement over regular Linux, and WAY more secure than ANY product from
Redmond.
Certainly there is a small, compount risk increase due to multiple OS
images involved, but the OS images must be analyzed independently FIRST,
and THOSE risks addressed.
**IF** OBSD were available as a host OS, that would be good security. If
not, then security issues compound due to multiple guest OSs and each set
of inherent vulnerabilities.
No matter how you twist the logic, however, a VM provides a good level of
application domain security, from the standpoint that each set of domain
users and applications can only see the services provided within that
domain guest OS.
Lee
================================================
Leland V. Lammert lvl@omnitec.net
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
================================================
