This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] OT: Network Security

To: <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] OT: Network Security
From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
Date: Wed, 4 Aug 2010 10:03:19 +0100
Delivery-date: Wed, 04 Aug 2010 02:04:41 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acszs+Ho3L7DFLsXTNCPbnNJ8fq2Rw==
Thread-topic: Network Security
Hi Everyone,
I've labeled this as Off-Topic as it's not really directly related to Xen, however I know the folk here are very experienced and helpful and my solution is going to be implemented on Xen. Please bear with me.
I'm trying to decide where to put my web server and DB server in my network. My current idea is to have an Apache Reverse Proxy in a DMZ, and put the "real" web server in a seperate subnet, along with the DB server. So it looks like this:
<NAT Port Fordwarding>
DMZ: Reverse Proxy Server (which proxies to "real" web server)
Seperate Subnet: "Real" Web server and Database Server
I'm in a bit of a debate with some people. Since the whole setup above will be on a single Xen box, and since I'm using filtering on my Dom0 bridge, my argument is that seperating into different subnets is irrelevant, since I'm able to tightly restrict communication between hosts on the same subnet (My current rules don't even allow IP or MAC spoofing). Some people have told me to put both reverse proxy and "real" web server in DMZ, and put DB on its own subnet.
Woudn't it be just as secure to put everything on the same subnet, and make use of my Dom0 filtering bridge to filter communication between guests? Or is there some "magicness" that separating into different subnets has?
Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] OT: Network Security, Jonathan Tripathy <=