WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] If Dom0 was compramised

To: <Xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] If Dom0 was compramised
From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
Date: Thu, 20 May 2010 11:39:25 +0100
Cc:
Delivery-date: Thu, 20 May 2010 03:40:54 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <46C13AA90DB8844DAB79680243857F0F061FCD@xxxxxxxxxxxxxxxxxxx> <4BF5099F.3000500@xxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acr4BLb2wrmo1Q1xRgOZULGi2DBbLwAApjri
Thread-topic: [Xen-users] If Dom0 was compramised
What if I were to use this setup:
 
 
In a nutshell, run a firewall ina DomU and delegate a physicaal NIC to it (The physical NIC would have a public IP from the ISP).
Then, connect the other vifs from the firewall DomU to a bridge, which eventually connects to the LAN
 
Is this secure? I could disable ssh etc. in Dom0 and just use an old school monitor connected to the server. Is this as safe as it could be?
 
Thanks
 

From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Olivier B.
Sent: Thu 20/05/2010 11:06
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] If Dom0 was compramised

I'm not an expert, but Dom0 have access at least to the disk, the network trafic, and memory thought "xm save".
Well, it seem to be a full access no ?

Olivier

Le 20/05/2010 11:53, Jonathan Tripathy a écrit :
Hi Everyone,
 
If Dom0 were to get compramised, how bad would this be? How much access to the DomUs does Dom0 have?
 
Trying to build a strong security network here
 
Many Thanks
 
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>