[mythtv-users] Virtualisation in the home network -- ready for mainstream?
Simon Hobson
linux at thehobsons.co.uk
Thu Sep 3 08:26:42 UTC 2009
Bill Williamson wrote:
>I am not the OP, and I think his list of virtualized stuff is a bit
>silly (why would you virtualize monowall, when it means packets are
>already in your network and on your machine before hitting your
>firewall????), but there are some very good specific uses for
>virtualization (although with xen it works great with pci sharing...).
Actually, running a firewall in a VM makes quite
good sense, and it's what I have. My firewall is
a minimal install (no unneccessary software
installed, let alone running) in a Xen guest -
it's outside interface is a network card
presented directly to it (pciback.hide etc) so
apart from passing across the PCI bus, the
outside traffic doesn't hit Dom0 at all.
It means my firewall can be simple (basic 2 port
setup), whereas doing the same thing in Dom0 is,
to say the least, tricky.
> > Another reason to do it is as an added measure of privilege separation.
>> If one virtual machine is compromised it probably won't lead to compromise
>> of the other VMs, barring security problems with the VM hypervisor. In an
>> ideal world you wouldn't run, say, a web server and an NIS master on the
>> same machine, but running them in separate VMs provides almost the same
>> level of security without the extra box.
>
>
>For home use? If someone is compromising your linux boxes and ...
>deleting your tv shows? ... I guess it's good that they can't then
>make a phone call using asterisk? Or something?
Lets get this straight, you are criticising
someone for taking security seriously ? And as
for "it's good that they can't then make a phone
call using asterisk" - well that is a serious
problem that actually costs money. There's
nothing like having a few hundred (or even few
thousand) $/£ added to your phone bill for you to
take security seriously and it's happened to
plenty of people (mostly businesses with badly
configured PBXs, but coming to VoIP you can be
sure) over the years.
But for me, one of the biggest reason is the
separation of software - I can fiddle away with a
setup as much as I like, and if I really screw it
up I can just blow it away and start again. I
don't have to worry, for example, about needing
to run the very latest stuff to get my tuner
working and that breaking my fairly old software
running the mail server.
Oh yes, and it sounds cool when you describe it to non-geek friends :D
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
More information about the mythtv-users
mailing list