[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] LXR-type source code browsing



> Like you, we have an internal LXR server.
> 
> I've never been very convinced about the security of LXR. Do you reckon
> we'd get away with running one on the public internet? Do you know
> whether lxr.linpro.no have had problems?
> 
> We're planning on setting up the wiki and bugzilla each in their own VM
> with snort running in domain 0 to scrutinize the traffic. I guess we
> could add lxr to the mix and see what happens...
> 
> Ian 



Your suggestion to use snort in dom0 sounds like a great way to keep track of 
what
is going on in the other domains.  It sparks my interest in taking part in the
discussion, as I have been thinking through the best ways to use Xen to create
a higher level of trust in my systems.

Because security of dom0 seems of the upmost importance, I have been
inclined to do less in dom0...rather than more.  I have been thinking of making
only ssh available from the outside, even protecting the ssh port with port
knocking.  I would use dom0 for compiling new xen/linux kernels, for managing
the other domains (as with the xm command), and for running iptables, which
would run in dom0 to protect all the other domains.  I would also do filesystem
integrity checking within dom0 and sending syslog to a remote server.  Outside
of those duties, I don't think dom0 needs to do much for me.

Given that approach to using dom0 in a more tightly controlled way, the only
other vectors of attack upon dom0, as I see them, would be these scenarios:

1) network attack via iptables or on the tcp/ip stack itself (unlikely)

2) virtual machine attack on a vulnerability that allows access to dom0 
(unlikely)

3) tcp session hijacking of an ssh session

So, by using dom0 as a special-purpose domain, risk to compromising the entirely
system would be minimized.

Would it perhaps be even better to run snort in an unprivileged domain, using
iptables to feed traffic to that domain?

Incidentally, why isn't iptables support built into the default xen/linux 
kernels?
iptables seems a natural fit with a project that can do so much for system 
security.

Thanks to everyone working on this wonderful project.

Shane




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.