* carlopmart <carlopmart@gmail.com> [101123 08:44]:
quoted text
> On 11/23/2010 02:33 PM, Jim Razmus wrote:
> >* carlopmart<carlopmart@gmail.com>  [101123 08:22]:
> >>On 11/23/2010 01:48 PM, carlopmart wrote:
> >>>On 11/23/2010 01:42 PM, Bret Lambert wrote:
> >>>>Because you're still relying on your host's network stack, you aren't
> >>>>actually firewalling it.
> >>>>
> >>>
> >>>Uhmm .. I am not sure about this. For example: you can configure several virtual
> >>>bridges under a ESXi host and then attach them to a virtual firewall like OpenBSD.
> >>>If you configure some pf rules, you are doing firewalling ... In this case you have
> >>>all network stack except layer 1, correct??
> >>
> >>And one more thing: with latest releases of hypervisors like ESXi
> >>and KVM (I don't know about xen), you can attach physical hardware
> >>to a specific guest, like network interfaces. Then, you have all
> >>network stack asigned to a virtual machine. Where are the
> >>disadvantages in scenarios like this??
> >>
> >>Thanks.
> >>
> >>--
> >>CL Martinez
> >>carlopmart {at} gmail {d0t} com
> >>
> >
> >You're still relying on software to the right thing and protect against
> >abuse.  "attach physical hardware to a specific guest" is done via
> >software.  Do you trust that software?
> >
> >jim@
> >
> >
> 
> Uhmm ... good point Jim. But, but one question: can you compromise
> this virtual firewall using a specific exploit, procedure, etc and
> don't do the same with a physical firewall ??
> 
> -- 
> CL Martinez
> carlopmart {at} gmail {d0t} com
> 

Possibly, yes.  Here's why.  You're not attacking an OpenBSD host.

The hypervisor has a network stack that is engaged before any guest.
How else can you setup virtual switches, "attach interfaces", etc.
Assuming that stack is vulnerable in some fashion, you have the
opportunity to attack the guests from an entirely new angle.  Moreover,
if your hypervisor is now compromised, why try to fight your way through
the network interface of the virtual firewall when you can attack the
firewall or other guests directly?  Further, why even attack the guests
through their respective virtual network interfaces when you can poison
their virtual CPUs or other "hardware" devices?

IMO, this is a kin to the blob problem for hardware, but on a larger
scale.  Your guests, OpenBSD or otherwise, are entirely dependent on
another layer of software.  In this case ESXi, which is not infallible.

Does that explain it better?

jim@