[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] EFF Tor Challenge

--- On Thu, 6/2/11, CACook@xxxxxxxxxxxxxxx <CACook@xxxxxxxxxxxxxxx> wrote:
> > > For those interested, so far my best idea is
> running the
> > > daemon in a VirtualBox VM running SELinux as
> guest, and
> > > bridged to the outside.  This should
> substantially
> > > solve most problems except membership in the
> local
> > > LAN.  
> > 
> > I don't think that this would make for a best
> practice,
> > I think that a linux lxc should be encouraged
> instead,
> > it is way more efficient.
> I looked at containers in depth.  They are simply not
> secure.

Could you be more specific?  I understand that
different people have different opinions/biases
of how secure a system is, but I don't think 
that anyone can make the claim that either of 
these two setups are more obviously secure than 
the other.  Both perform similar logical 
isolations, neither has the obvious advantage 
here.  Both have the potential to have the
isolation compromised by bugs, the full VM
solution has more code, so likely has a greater
attack surface, but that likely means little
in this argument.  If you think it is "simple", 
please explain on what basis you are making
this claim.

Since I do not think that it is a simple
evaluation to determine which solution is
more secure, and both solutions perform
a similar logical isolation (when not 
compromised), I would suggest that other
criteria be used to judge which solution
should be used to suggest to others as a
best practice.  Naturally, I would not
tell you that you are wrong for running
virtualbox, but I don't think that it is
a great solution for a best practice.  
And, if you think that lxc is not 
appropriate for a best practice, please
provide some good reasons so that we can
all benefit.

> Most ppl have consumer-grade routers;  no DMZ
> port.  Wish there was...

I am sorry you don't, but many consumer-grade 
routers actually do have a DMZ port, it is 
certainly not out of the ordinary.


tor-talk mailing list