WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Re: firewalls and Xen

from [Patrick Wolfe] [Permanent Link][Original]
To: Molle Bestefich <molle.bestefich@xxxxxxxxx>
Subject: Re: [Xen-users] Re: firewalls and Xen
From: Patrick Wolfe <pwolfe@xxxxxxxxxxxxxx>
Date: Fri, 07 Jul 2006 12:40:10 -0400
Cc: Luke <secureboot@xxxxxxxxx>, Daniel Goertzen <goertzen@xxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 10 Jul 2006 05:18:18 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <62b0912f0607070921m6d23370dlb0d1af3709ca34b4@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <796A7B7A-174F-4A38-865B-09D316F8CAE8@xxxxxxxxx> <43F1F6EC.4010207@xxxxxxxx> <3988B614-F9C1-4DEB-A97C-65AF8E2F8E06@xxxxxxxxx> <43F20903.5050506@xxxxxxxx> <1139939476.19273.45.camel@xxxxxxxxxxxxxxxxxxxxx> <62b0912f0607070921m6d23370dlb0d1af3709ca34b4@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.4 (X11/20060615) 
Don't you find it troublesome that all of your domUs can communicate
freely with each other?

I'm thinking that if one domU is breached, a hacker will have total
freedom to poke at any ports on any of the other domUs regardless of
the firewall.
You are correct, but that's typically how servers are setup in a DMZ in a non-consolidated environment. Each server is responsible for protecting itself from penetration. My firewall's primary goal is to protect your INTERNAL systems from the internet and the DMZ systems. It also provides some protection for the DMZ systems, but if one of them has a hole and gets hacked, you want to make sure they can't get any further than the DMZ.
If you want to get all paranoid and isolate each domU from each other, go for it. Use the routed method, and have separate firewall rules for each server. Your firewall will be a little more heavily loaded, but that's the price you pay. Also, keep in mind that XEN currently doesn't support more than three network interfaces per domU, so you end up having to have one firewall for every two domU's.
In my opinion, a better solution is be to install shorewall (or whatever firewall package you like) on every domU, so it can protect itself. 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] Re: Problems booting Xen with LVM volumes, Matti Pöllä
Next by Date:  [Xen-users] Re: firewalls and Xen, Patrick Wolfe
Previous by Thread:  Re: [Xen-users] Re: firewalls and Xen, Emiliano Gabrielli
Next by Thread:  [Xen-users] Re: firewalls and Xen, Molle Bestefich
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy