[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Recipe for 'Thin Domain 0' request

To: "William (Andy) Smith" <romaq@xxxxxxxxxxxxxxxxxxxx>
From: Rik van Riel <riel@xxxxxxxxxx>
Date: Mon, 4 Apr 2005 13:27:25 -0400 (EDT)
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 04 Apr 2005 17:27:25 +0000
List-id: Xen user discussion <xen-users.lists.xensource.com>

On Sun, 3 Apr 2005, William (Andy) Smith wrote:

> I would need to prove the theory that I can isolate the NIC device and 
> its traffic from Domain 0 and all other domains in a firewall 
> application.

I guess you could do the following, where I assume that
eth1 contains your untrusted traffic:

[eth1] <-> [xen-br1] <-> domU firewall <-> [xen-br0] <-> [eth0]
(no IP)                                    (dom0's IP)

This way eth0 is firewalled from external network traffic.
Yes, the packets will travel through dom0 to get to the
domU firewall - but dom0 does not have any IP addresses
before that firewall, so it will be much harder to attack.

-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] Recipe for 'Thin Domain 0' request
  - From: Tupshin Harper

Prev by Date: Re: [Xen-users] REPOSITORY, SERVER, and VIRTUAL OWNERSHIP
Next by Date: Re: [Xen-users] Installing Xen on FC3
Previous by thread: RE: [Xen-users] Recipe for 'Thin Domain 0' request
Next by thread: Re: [Xen-users] Recipe for 'Thin Domain 0' request
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.