This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Re: Creating a DMZ domU

To: "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Re: Creating a DMZ domU
From: "Christopher Isip" <cmisip@xxxxxxxxx>
Date: Wed, 16 Jul 2008 22:23:37 -0400
Cc: Jeroen Torrekens <jeroen.torrekens@xxxxxxxxxxx>, xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 16 Jul 2008 19:24:26 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=z+g9ysd1G2kQQ0mNiPfyPg1bo0AnmfWbdx7e2BojW/M=; b=wbP3wC/vjxDEwPYNLn8ujZ8Y700Fij9euEKytJ9cSPS/XaYFtW4DCQmaZDWef62FiH vEHE6+85SHudf0aJcqX5D2StKhHuP/+ubQx6nd4MKaIIp586PlGCMCyLL+R8Re93X1Yy fWanHafmVPz6fYTbMdiL9jsdLEAADfxjDA37E=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=un+G+K8CJnrZLBVoRwLywc6V8rM5MlTMjWUE8lud9RdXf9DgcRGBqY8ksWJyHZjTRK WX5zobnDKO+DMzSgPfMUxGvKDicQo+fvpnzgHEtD/VmuHyhCHxhOK+GNmo870HkMZR8e qVWAHYQjmFkloWeKKXw5515UY+nVR+gNZ1Zrw=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1216221969.8067.9.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4bca5f6c0807122044k5cb40137pb2cec30631f2a6e2@xxxxxxxxxxxxxx> <4bca5f6c0807132006m2198486dtc44482ca7ab1449a@xxxxxxxxxxxxxx> <1216031074.7629.9.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <4bca5f6c0807151557t3f2533f2i1d5438c2f929fa37@xxxxxxxxxxxxxx> <487DAFD6.504@xxxxxxxxxxx> <4bca5f6c0807160419u3366028cj6235ebb246aee70f@xxxxxxxxxxxxxx> <1216221969.8067.9.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

On Wed, Jul 16, 2008 at 11:26 AM, John A. Sullivan III <jsullivan@xxxxxxxxxxxxxxxxxxx> wrote:
On Wed, 2008-07-16 at 07:19 -0400, Christopher Isip wrote:
>         >
>         >
>         >
>         Normally not. There is no way for the 'outside' network to
>         address your dom0 machine. If it does not have an IP address
>         on the external bridge that is
> If the dmz is compromised though, the attacker would have access to
> the dmz bridge and all hosts connected to it right?.  This should
> exclude dom0 since there is no interface in dom0 attached to the dmz
> bridge (xenbrD).  Is this correct?
> [root@mymainserver ~]# brctl show
> bridge name    bridge id        STP enabled    interfaces
> eth0        8000.00146c30c25a    no        vif8.0
>                             vif7.0
>                             vif6.0
>                             vif5.0
>                             vif4.0
>                             vif3.0
>                             vif2.0
>                             vif1.0
>                             peth0
> virbr0        8000.000000000000    yes
> xenbrD        8000.feffffffffff    no        vif11.0
>                             vif2.1
> I believe in the above vif1.0 is probably attached to the asterisk
> domU while vif2.1 is to the dmz domU though I dont know how to check
> for sure.  I did not manually enslave a dom0 interface to the xenbrD
> bridge when I created it.
> Thanks
> Chris
Hmm . . . I'm not sure how this would work.  I suppose it might be best
to pretend to be the bad guy.  If you run a sniffer (tcpdump, wireshark)
in promiscuous mode on the DMZ server, what do you see? Anything that
would give clues to the internal network?

If you have console access on the DMZ server and you know where you want
to go on the internal network (from sniffing the wire), can you get
there unfettered? Just a few thoughts.  Let me know how you fare :) -
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880

Making Christianity intelligible to secular society

You make a good point. I dont know much about interpreting tcpdump output, but I could see that one could gleam some information about the lan network structure from watching tcpdump.   I put a drop policy from the Asterisk domU to DMZ as well as from LAN to DMZ.   The only pipe open now is the ssh pipe and the https port forward from the internet.  I still would like to know if there is anything I need to do in dom0 for the xenbrD bridge.  Or is it already secure by virtue of not having any dom0 interfaces enslaved to it.



Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>