--- On Thu, 6/2/11, cac...@quantum-sci.com <cac...@quantum-sci.com> wrote: > > > For those interested, so far my best idea is > running the > > > daemon in a VirtualBox VM running SELinux as > guest, and > > > bridged to the outside. This should > substantially > > > solve most problems except membership in the > local > > > LAN. > > > > I don't think that this would make for a best > practice, > > I think that a linux lxc should be encouraged > instead, > > it is way more efficient. > > I looked at containers in depth. They are simply not > secure.
Could you be more specific? I understand that different people have different opinions/biases of how secure a system is, but I don't think that anyone can make the claim that either of these two setups are more obviously secure than the other. Both perform similar logical isolations, neither has the obvious advantage here. Both have the potential to have the isolation compromised by bugs, the full VM solution has more code, so likely has a greater attack surface, but that likely means little in this argument. If you think it is "simple", please explain on what basis you are making this claim. Since I do not think that it is a simple evaluation to determine which solution is more secure, and both solutions perform a similar logical isolation (when not compromised), I would suggest that other criteria be used to judge which solution should be used to suggest to others as a best practice. Naturally, I would not tell you that you are wrong for running virtualbox, but I don't think that it is a great solution for a best practice. And, if you think that lxc is not appropriate for a best practice, please provide some good reasons so that we can all benefit. > Most ppl have consumer-grade routers; no DMZ > port. Wish there was... I am sorry you don't, but many consumer-grade routers actually do have a DMZ port, it is certainly not out of the ordinary. -Martin _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
