[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Recipe for 'Thin Domain 0' request

Rik van Riel wrote:

On Sun, 3 Apr 2005, William (Andy) Smith wrote:

I would need to prove the theory that I can isolate the NIC device and its traffic from Domain 0 and all other domains in a firewall application.

I guess you could do the following, where I assume that
eth1 contains your untrusted traffic:

[eth1] <-> [xen-br1] <-> domU firewall <-> [xen-br0] <-> [eth0]
(no IP)                                    (dom0's IP)

This way eth0 is firewalled from external network traffic.
Yes, the packets will travel through dom0 to get to the
domU firewall - but dom0 does not have any IP addresses
before that firewall, so it will be much harder to attack.

This is exactly what I do, and it works great. I find it hard to imagine a succesful attck against the dom0 when it doesn't have an IP address on the interface. I guess if you were really paranoid, you would do PCI delegation of that NIC to the domU, but I'm not (that paranoid).


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.