WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Xen Security

To: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Subject: Re: [Xen-users] Xen Security
From: Bruno Steven <aspenbr@xxxxxxxxx>
Date: Fri, 16 Jul 2010 09:31:22 -0300
Cc: vburke@xxxxxxxx, Xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 16 Jul 2010 05:32:45 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=CXo25zgGwK29cXU+zgJmBKe3wI58a0e5zOJO2sou3jA=; b=PXB8C9PG5xFifxZWs4Ca8qWhPNqeJwGWT22aA4IBKHSXvvrPyEARwCQopngQfKFTz3 swndHSF6AxknsbbWiG2mpWs+1SHkCUcMFysktuYYFGGxw0uGy5Um10Kq4MtkdFxrT/at FJTbm/Qk6Mr7R3+gw8VuDtc/luF+mWAeDb1Mk=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Zz6JXTO2MiwMOnStOpa+7lEeqxh0BHQaj9v6LXEVxOiGWxlIgDou4hWzZ+H26NDUOV spE6+1g1B/ttGreqK0AGu/FwoAIoOfl+VsiNncoWpUMaRAOZr6F3LCJyo5H6HBBOIt3R N1GobE3fX9lZ6xEbiOE/ogKGiQDhq15esdxV8=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <46C13AA90DB8844DAB79680243857F0F0AFDC0@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4C3F905E.9030100@xxxxxxxxxxx> <4C3F94C3.5050207@xxxxxxxxxxx> <4C3FB19B.104@xxxxxxxx> <4C4004C7.7020008@xxxxxxxxxxx> <1418113099-1279279532-cardhu_decombobulator_blackberry.rim.net-1424595720-@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <46C13AA90DB8844DAB79680243857F0F0AFDC0@xxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
I like all post is very good, I know use jail for virtual machine is solution for some problem security, like virtual machine with service less security as DNS server. 

I have read about XEN 4.0 but the installation need re-build kernel , sound re-build kernel is very danger for security of kernel, how install new version xen 4.0 without re-build kernel ?   

On Fri, Jul 16, 2010 at 8:59 AM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> wrote:
Thanks Vern,
 
I can indeed keep my VMs up to date, however the customers will be in charge of their VMs so I can't upgrade theirs, however I think this is a moot point as they will have root access anyway.
 
I should probably upgrade my Xen 3.4.2 to 3.4.3 then?
 
Thanks


From: Vern Burke [mailto:vburke@xxxxxxxx]
Sent: Fri 16/07/2010 12:25
To: Jonathan Tripathy; xen-users-bounces@xxxxxxxxxxxxxxxxxxx; Xen-users@xxxxxxxxxxxxxxxxxxx

Subject: Re: [Xen-users] Xen Security

I did NOT say that. Like much of the current discussion about cloud security, it comes down to degree of likely. You are FAR more likely to have a VM hacked directly as the result of lousy system admin practices than you are some remote theoretical possibility of someone breaching the hypervisor.

In my opinion, unless you're storing nuclear launch codes, keep the cloud/hypervisor up to date, keep the guest OS up to date, and follow system admin best practices and the chances of being hacked are vanishingly small.

Vern

Vern Burke, SwiftWater Telecom, http://www.swiftwatertel.com

-----Original Message-----
From: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Date: Fri, 16 Jul 2010 08:05:43
To: Vern Burke<vburke@xxxxxxxx>; <Xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Xen Security

Hi Vern,

So you think I should just set up my networking properly and forget
about the rest? Do you feel it ok to share the same Xen host with
internal VMs with public VMs?

Thanks


On 16/07/10 02:10, Vern Burke wrote:
> I have no idea how you could actually PROVE that there's no possible
> way someone could break out of a dom U into the dom 0. As I've written
> before, since Xen is out and about in such a large way (being the
> underpinning of Amazon EC2) that if there was a major risk of this,
> we'd have seen it happen already.
>
> Vern Burke
>
> SwiftWater Telecom
> http://www.swiftwatertel.com
> ISP/CLEC Engineering Services
> Data Center Services
> Remote Backup Services
>
> On 7/15/2010 7:07 PM, Jonathan Tripathy wrote:
>>
>> On 15/07/10 23:49, Jonathan Tripathy wrote:
>>> Hi Everyone,
>>>
>>> My Xen host currently run DomUs which contain some very sensitive
>>> information, used by our company. I wish to use the same server to
>>> host some VMs for some customers. If we assume that networking is set
>>> up securely, are there any other risks that I should worry about?
>>>
>>> Is Xen secure regarding "breaking out" of the VM?
>>>
>>> Thanks
>>>
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@xxxxxxxxxxxxxxxxxxx
>>> http://lists.xensource.com/xen-users
>>
>> I'm running Xen 3.4.2 on CentOS 5.5 Dom0 by the way.
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@xxxxxxxxxxxxxxxxxxx
>> http://lists.xensource.com/xen-users
>>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



--
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx


P Antes de imprimir pense em sua responsabilidade e comprometimento com o Meio Ambiente. Before printing this message, think about your ecologic responsability and environment commitment.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>