My analogies usually go to custard, but I'll try this one.

You are in charge of getting four ambassadors to a meeting.  As well
as making sure they are happy and fed, you are in charge of their
security.

All four are hated in their home countries and you know their are
people wanting to kill them.

Some of your choices:

1. One car per ambassador.  If one gets taken out, at least three are
still OK (guess you would still be out of a job, though - so not a
perfect analogy.)  Obviously means four cars, four drivers, so more
expensive.  And more things to juggle.  And if you are very unlucky,
all four could still get taken out (but obviously means a lot of bad
guys being lucky.)  It takes four attacks to wipe you out.

2. All four in one car.  If any assassin tries to take out an
ambassador, chances are the rest are toast as well.  But only one
car / one driver - so less expensive.  It takes one attack to wipe
you out.

3. All four in one car - but you start to worry about the risk, so
you start adding stuff to the car.  Bigger engine, stronger body, try
and partition off the passengers, give them body armour, have a spare
driver, get the driver to drive randomly - lot more complexity and
things to juggle.  Unless you and the car builder are very good (did
you think of EVERYTHING?  What exactly did the car builder DO under
the bonnet - do you know?) - one attack will still wipe you out.

Which of these options is "most secure"?  (Sending them with Arnie in
his Hummer isn't an option.)

Now I'll send this and then think of how the analogy falls apart ... 8-)

On 25/10/2007, at 7:14 PM, Lars Noodin wrote:

quoted text
> Kevin Stam wrote:
>> ... failed to satisfactorily explain why running a specific
>> application
>> in a VM is more secure then running it in a standard OS. It's
>> nonsense that
>> you think it's more secure that way. It saves a lot of money, yes
>> -- you
>> don't necessarily want a separate box just to run an application -
>> but
>> that's not the debate here. The debate is about security, and I'm
>> amazed
>> that you think a virtual environment is somehow more secure then a
>> dedicated
>> non-virtual environment...
>
> Like I mentioned earlier, security has several contexts.  He could
> well
> be talking about job security, if he's the only one who knows how
> it is
> set up.
>
> While probably the least, or at least one of the least, technically
> skilled people here, I did spend a lot of time this spring reading
> up on
> virtualization and paravirtualization.
>
> *My* conclusion was that the main, and maybe only, place that
> virtualization can help is in restoration after a compromise, assuming
> one makes snapshots, etc.  That and maybe load balancing / resource
> usage to help uptime.  Keeping people out, or data in?  Nah.  Probably
> no more than spreading out over different architectures.
>
> However, adding an extra layer otherwise made little sense and is
> probably not more effective than sysjail or something like that.
> Paravirtualization, *might* help in some cases, since the guest os
> must
> be ported, but again the host is native and once you reach the host...
>
> -Lars