[quote post=”2385″]512MB and a core dedicated to the security vm?[/quote]

That’s 512 MB dedicated solely to the VM – but yeah let’s say 1-2GB dedicated to the VM to be more realistic. I have a 2.4 GHz dual core CPU on this very laptop and a 2GB of RAM and I can quite comfortably run Windows 2k in the VirtualBox on top of my Kubuntu install.

Vista is so bloated it scares me. And there is really no justification for it. To me it runs like XP’s slower cousin with minor UI tweaks. When I moved from 2k to XP I could at least “feel” this was a new OS. :P

[quote post=”2385″]Don’t forget that office users in companies *don’t* and *won’t* have an x-core machine with y GB of RAM for at least 5 years to come. [/quote]

True. This technology I think is targeted more at big data centers. They were really pushing the whole dynamic network architecture idea which doesn’t really matter that much in a regular office environment. And yeah, it is more expensive, but they claim you get much better security coverage out of this.

[quote post=”2385″]How can a virtual os stop viruses and block attacks on a different os running on a system?[/quote]

For one, it acts as a proxy between you and the internet so you can have packet scrubbing, intrusion prevention going on in there. An attack from the outside will most likely target the guest system which is what it will see on the network.

Other than that, I’m not sure. As I mentioned, they were a little light on details, and I got referred to their sales people for further questions. :P

How can a virtual os stop viruses and block attacks on a different os running on a system? I’m assuming that both oses are running at the same time, but when a breah occurs, does it occur to the entire system such that any operating system can stop it, or is it targeted to the main one?

the number is 3900 unix servers being replaced by 30 Zseries with virtualized or partitioned linux/390. sorry, memory is getting worse.
… and reducing 155 data centers to 7 worldwide is also saving quite some $$ for energy costs.

Don’t forget that office users in companies *don’t* and *won’t* have an x-core machine with y GB of RAM for at least 5 years to come. Companies tend to calculate in $$, and they get the cheapest machines that do the job for the average employee. *And* companies tend to decide on machines where they can be sure that there is support over the next bazillion years. There are monthly budgets and yearly budgets and tax legislation and allowance for depreciation so that it actually makes sense to repair a PC, not replace it. of course ymmv.

There are repairs, and you can discuss if it’s still the original PC after 3 repairs, but that’s how financial accountants think. Even my wife does so in her office — her office PCs are 7-year old Duron-750, and they still do the job, so why replace them? I had to replace 2 power supplies, 1 RAM, 1 VGA card, even 1 mainboard, but it’s still the same PCs. We switched from ME to XP, but still everything works. I even have 2 mainboards for 10 euros from ebay just to be able to repair the PCs once more.

As Schneier says “security is a trade-off” (just yesterday in his blog). I have a separate DSL modem connected to a linux server, and everything runs through dedicated proxies, so I’m fairly sure about security on the clients. And as for browser attack vectors: there’s no other chance than to keep the OS up2date, no IDS or IPS will help you there 100%. It’s more of educating the users.

Currently VM is a wonderful technology for data centers to increase the CPU usage (estimations range that average CPU usage in big DCs is 10-30%), save energy (IBM had a press-release that they could replace 3700 unix servers with 70 partitioned Zseries and offer the same number and power of services), decrease cooling requirements and provide on-demand provisioning, and it’s great for developers to segregate host from dev environment.
But it’s not for average office users right now.

This reminds me of the Monty Python joke in “The meaning of life” about the machine that goes “ping”. There is truth in what the bookkeeper tells, but noone understands it then (“Ah, I see you have the machine that goes ping. This is my favorite. You see we lease it back from the company we sold it to and that way it comes under the monthly current budget and not the capital account.”). Imho the joke in the movie goes about having a machine that noone understands and can use correctly.

(…remove “less than” sign and continue post…) 1g of our software, it’s now reporting over 15GB consumed, and that’s before I’ve even started up our software. Eh? Exactly how much space does Vista want? When will the horror end?

There better be some decent porn hidden in that bloated carcass of an OS, or there’ll be hell to pay.

also, why doesn’t the spellchecker on this box allow linux as a word?

dammit.

512MB and a core dedicated to the security vm?

O_o

You can run an iptables firewall vm in such a way (eg coyote linux) in only a few megabytes. I mean, sure, it’s an interesting idea, but does it really need to gobble that level of resources? Just “because it’s there” is how we get bloatware in the first place.

For example, I am now starting to test our software on Vista (now that SP1 is out). I’d tried it this time last year and it was far too buggy. A fresh vanilla install of MSDN Vista Ultimate 32bit + Windows Updates (all security and recommended, one optional) + nVidia drivers + Service Pack 1 + another Windows Updates + defragmenting (to improve the size of the backup image)… and the damn thing was THIRTEEN gigabytes. The only non-OS, non-driver software I had installed was Firefox. THIRTEEN gigabytes. I only gave the C: 20GB for ease of backup. More fool me, I guess.

After installing

This is extra-cool with modern systems that support hardware virtualization. Running a hardened OpenBSD install in a VM as a gateway with pf, clamav, and sendmail shouldn’t take much disk space or memory but would definitely stop most worms and mail viruses cold.

Heck, it may actually free up resources because you may not need to run an antivirus client locally (there’s still the problem of boot sector viruses on media brought from home or internet-downloaded viruses that make it past the blacklist, but the second problem could be solved by scrubbing HTML pages in transit and how often do you see boot sector viruses anymore?).