WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Running workstation and firewall on the same hardware

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Running workstation and firewall on the same hardware
From: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Date: Mon, 8 Aug 2005 17:37:35 +0100
Cc: Morten Guldager <morten.guldager@xxxxxxxxx>
Delivery-date: Mon, 08 Aug 2005 16:38:25 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <d3e62a6b0508071107440f8e71@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <d3e62a6b0508071107440f8e71@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.8.2
> I'm a paranoid SuSE guy.

That's the most succinct introduction we've had in a while :-)

> Resently I discovered Xen, and thougth that I could use it to combine
> the workstation and firewall in one piece og hardware.
>
> First plan were to create 3 xen domains: Dom0, WS and FW
>
> But it seems to be quite a job to the all my fancy hardware available
> to anything but Dom0

Yep, right now it's easiest to give all that stuff to dom0.

> Next idea is to only have two domains: Dom0 and FW. And then use Dom0
> for workstation.
>
> What is your sugestions?

Conceptually the simplest would be to have dom0 forward *link level* packets 
to a domU, which can filter them at IP level and then send them back to dom0.  
In this scheme dom0 still receives the packets initially but doesn't do 
anything with them until they've been verified by the domU.  Link-level 
attacks on dom0 could compromise the machine but a compromise of the domU 
will not (although your IP traffic is obviously untrusted then).

A better-performing solution would be to dedicate the network card to the domU 
and have it do link-level and IP level processing, then forward packets to 
dom0 over a virtual interface.  To do this you need to:
* hide the PCI device from dom0 (so it doesn't grab it)
* then assign the device to the domU
* then start a kernel with the network driver in the domU (you could just use 
the xen0 kernel, it's fine)

Crashes of the domU should generally not take down the whole system, so it 
should be quite robust to errors.  dom0 doesn't see the packets at all until 
the firewall has vetted them, so it can be protected rather effectively.  In 
the case of the firewall domain being compromised, however, a "sufficiently 
clever" attacker can probably abuse the DMA engine of the network card to 
"break out" of the domU.

Lots of people are using device assignment with great success.

Cheers,
Mark

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users