|
|
|
|
|
|
|
|
|
|
xen-users
RE: [Xen-users] ip which is already being used can be taken by windowsvp
> Some suggestions:
>
> 1. Make sure that anything that ever wants to talk to 1.1.1.1 uses SSL
> so that it can never be impersonated. Make sure that you pay attention
> if your ssh client ever complains that the key has changed.
> 2. Put each VM on a /30 network and route everything to it. It might be
> a pain to maintain but it greatly reduces the attack surface.
> 3. Use iptables to filter that port to make sure the source IP address
> is correct (remember to allow for DHCP queries if you use that - they
> will appear to come from 0.0.0.0 I think).
> 4. Install arpwatch (I think that's what it's called) that can notify
> if
> the relationship between a mac address and an IP address changes
>
> James
>
If you're going to do #2, you may as well use /31s and save 2 IPs per host.
Best Regards,
Nathan Eisenberg
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|