Should I consider jails or virtual machines?

blazingice

blazingice

I am planning to allow few services to be accessible from outside network. Mostly ssh and http. My initial plan was to run them in a jail. However recently I have been considering to set up a separate virtual machine in order to raise the level of isolation from the host.

I am quite aware of the strengths and weaknesses of both of them when it comes to resources and operating systems that they can run, but I am not sure if there is any substantial difference in terms of security. I will be running FreeBSD in both of them (host and guest) and I have plenty of CPU and memory to waste, so their initial limitations are not so much of a concern. Security is more of a priority.

What do you suggest? Any security caveats for these two models?
 
On the OpenBSD mailing lists Theo de Raadt many times expressed the view that he does not understand how people can believe that whole armies of programmers, who have been struggling to write secure operating systems and applications for decades, suddenly are capable of writing secure virtualization software. ;)
 
Jails are extremely secure! However jails have a few restrictions, for example running PostgreSQL in a jail requires disabling some security settings. Performance wise jails are better, you spend your RAM a lot more effectively and you don't emulate/wrap IO/networking and so on.

I have a few OpenVZ (Linux version of jails) servers with just 64 MB RAM and that is enough for running the BIND DNS server with great performance.

In my opinion, virtualization is only worth it if you need very different systems (like mixing Linux, Windows, FreeBSD systems) or if your virtualization tool of choice has better administration options.
 
Actually, you could do both. Xen,VirtualBox, and QEmu are all capable of running full or paravirtualized guests. Have you thought about running a jail within the virtual machine?
 
sossego said:
Actually, you could do both. Xen,VirtualBox, and QEmu are all capable of running full or paravirtualized guests. Have you thought about running a jail within the virtual machine?
Click to expand...

Yes, I have. How about a virtual machine within a jail. This is the model that SmartOS has followed, although being solaris they are using kvm in zones. I wonder if they consider jails/zones more secure? Doing that in FreeBSD might be more difficult because of the kernel modules that would be needed.

I guess my question boils down to which one is easier to escape from? If the system gets compromised is it easier to escape from a jail or from a virtual machine?
 
HarryE said:
Users belonging to privileged groups, such as "bank", seem to escape very easy from jail ;-)
Click to expand...
Luckily if those users are already in jail, they're no longer privileged no matter how much others in the same jail think they are.

Kevin Barry
 
Although myself having more experience with Solaris zones than FreeBSD jails, I would imagine that a VM would provide a greater level of isolation from a security perspective for the simple fact that while a jail is using the same kernel as the host system, a VM is not. Thus, it would be harder to exploit a kernel-level security issue.

In addition, not an expert here, but a VM may be able to provider harder resource limits so some kind of attack involving overwhelming of the system would be less likely to impact the host.

With that said I second @sossego's idea of a jail in a VM. This would be two layers. For even more, maybe jail inside VM inside jail.
 
Last edited by a moderator:
You can combine those too by using VirtualBox on the FreeBSD host. So you can take jails for all the stuff which is available for FreeBSD and then for all other stuff you can use VirtualBox.

Regards
Markus
 
I'm not an expert, but a jail inside a virtual machine can show up strange interactions; the solution must be intensively tested before being put in production.

On the other hand, a jail provides a reasonable compromise between performance and isolation.

A VM theorically gives better isolation but has his own drawbacks, the binary code of the executables is converted on the fly, this is not only a performance penalty, it also can generate new bugs that are not present when the program runs inside a genuine machine.

Moreover the paravirtualization concept arises to improve the performace of a pure VM, but at the price of establishing a communication channel between the host and guest operating systems, hence you relax the isolation to improve the performance.

As suggested readings regarding the topic:

http://web.eecs.umich.edu/virtual/papers/king06.pdf
http://www.eweek.com/c/a/Security/VM-Rootkits-The-Next-Big-Threat/

To my mind, making good engineering is making good compromises.
 
You must log in or register to reply here.
Back
Top