WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Ideal(istic) Xen firewall design

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Ideal(istic) Xen firewall design
From: Martin Maney <maney@xxxxxxxxx>
Date: Sun, 14 Aug 2005 22:22:41 -0500
Delivery-date: Mon, 15 Aug 2005 03:21:01 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200508142130.j7ELUZ7k011456@xxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <42FF0CBD.1070507@xxxxxxxxxxxxxxxx> <200508142130.j7ELUZ7k011456@xxxxxxxxxxxxxxxx>
Reply-to: maney@xxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.6+20040907i
On Mon, Aug 15, 2005 at 09:34:10AM +1200, Mike Tierney wrote:
> But it is still tempting to just do away with the seperate firewall vm and
> do all the firewalling in Dom0!

That seems perfectly reasonable to me for a filtering router sort of
firewall with no exposed services.  Unless you're going to make dom0
itself console-only access (with good physical security on that
access), I can't see where it does much good to push the filtering into
a domU.  Of course if you're shutting down and restarting the filtering
firewall, you'd probably better be accessing dom0 from console
anyway.  :-/

Frankly, if you have *any* non-console access to dom0 (or poor physical
security), I would expect that to be a bigger threat than a break-in
through the kernel's IP stack/netfilter.  But there's no one right
answer - it really depends on your specific threat model and all the
rest of that stuff that we all prefer not to quantify because it's so
much work to get results that you know have a lot of best guesses and
estimates in 'em...  But without that judging the tradeoff is *really*
guesswork.

-- 
In software as well as in modern art,
the distinction between intentional and accidental omissions
is often difficult to make.  -- Andrew Hunt & David Thomas


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users