WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Xen network infrastructure discussion

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Xen network infrastructure discussion
From: siepk010 <jsiepkes@xxxxxxxxx>
Date: Thu, 13 Jul 2006 00:44:48 +0200
Delivery-date: Wed, 12 Jul 2006 15:45:34 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcamBMfC+Y05a3TVRByFYlVnk4NEfw==
Hello,

I'm looking for some opinions and insights on a particular subject; How to
position a couple of physical servers with virtual Xen servers in a network.


I have a hardware firewall (which has 3 interfaces) and two physical servers
(which both have 2 interfaces) with a couple of Xen domains. 

Domu3 and domu4 should only be accessible by the inside network, domu5 and
domu6 need to be accessible from the internet. Domu1 and domu2 should only
be accessible from the inside PLUS domu5 and domu6 need to be able to access
them (So they are not directly accessible from the internet).

I've attached a diagram with my (first) attempt to solve this little
dilemma. Couldn't find anywhere if attachments are allowed on this mailing
list, if they aren't, apologies in advance.

The hardware firewall (connected to the border router and the internet)
divides the network in 3 zones. Each server has a firewall domain which
handles and inspects all the outgoing en incoming traffic of the domains off
the server. This firewall domain should ideally be an other OS then the
domains are using, making it less vulnerable for "domino" exploit effects
(ie. If the domains are Debian Linux, the firewall domain could be OpenBSD
or something).

The reason why I connected the two physical servers directly in the diagram
is performance. When they are connected directly with each other they have a
1Gbit link. When linked via the firewall they only have a 100mbit link. 

I'm looking for some insights/opinions on this matter, so fire at will :-)

Thanks in advance,

Jasper

Attachment: network.jpeg
Description: JPEG image

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] Xen network infrastructure discussion, siepk010 <=