|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Recipe for 'Thin Domain 0' request
Rik van Riel wrote: This is exactly what I do, and it works great. I find it hard to imagine a succesful attck against the dom0 when it doesn't have an IP address on the interface. I guess if you were really paranoid, you would do PCI delegation of that NIC to the domU, but I'm not (that paranoid).On Sun, 3 Apr 2005, William (Andy) Smith wrote:I would need to prove the theory that I can isolate the NIC device and its traffic from Domain 0 and all other domains in a firewall application.I guess you could do the following, where I assume that eth1 contains your untrusted traffic: [eth1] <-> [xen-br1] <-> domU firewall <-> [xen-br0] <-> [eth0] (no IP) (dom0's IP) This way eth0 is firewalled from external network traffic. Yes, the packets will travel through dom0 to get to the domU firewall - but dom0 does not have any IP addresses before that firewall, so it will be much harder to attack. -Tupshin _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |