WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-users] Xen Security

from [Jonathan Tripathy] [Permanent Link][Original]
To: "Rudi Ahlers" <Rudi@xxxxxxxxxxx>, <Xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Xen Security
From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
Date: Fri, 16 Jul 2010 09:01:31 +0100
Cc:
Delivery-date: Fri, 16 Jul 2010 01:06:04 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4C3F905E.9030100@xxxxxxxxxxx> <AANLkTik9xC2I7cp-Rp1Q_rQ7S6zgzTzN32ELbQDrgSLD@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acskt1qEW0CPZT8+Q6yiEnEH3YvY1gABb/Mb
Thread-topic: [Xen-users] Xen Security


How do you secure your normal sensitive network server from client
servers? Deal with XEN in the same way :) Setup decent firewalling. We
actually put some of our sensitive domU's on a different network
subnet, and block routing from client VM's to that subnet. So if they
wanted to break in, they would have todo it from outside our network,
at which point our firewalls take care of the rest.

--------------------------------------------------------------------------------------------------
 
Hi Rudi,
 
Even though all internal and customer (untrusted) VMs are on the same box, there is indeed firewalling between them. I have a pfsense firewall domU set up, as well as iptables on the Dom0, to prevent the public VMs from accessing the internal ones. The public VMs are on a public subnet (which is actually bridged with the "WAN" side of the firewall), while the internal ones are on a private subnet, so breaking in would have to be done from "outside" the firewall as well.
 
My main concern was some Xen exploit that would allow a DomU user access to Dom0...
 
Thanks
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Xen Security, Rudi Ahlers
Next by Date:  Re: [Xen-users] wiki page on 10G SRIOV, Pasi Kärkkäinen
Previous by Thread:  Re: [Xen-users] Xen Security, Rudi Ahlers
Next by Thread:  [Xen-users] domU install problem, Yunfeng Xu
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy