[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Running workstation and firewall on the same hardware

> I'm a paranoid SuSE guy.

That's the most succinct introduction we've had in a while :-)

> Resently I discovered Xen, and thougth that I could use it to combine
> the workstation and firewall in one piece og hardware.
> First plan were to create 3 xen domains: Dom0, WS and FW
> But it seems to be quite a job to the all my fancy hardware available
> to anything but Dom0

Yep, right now it's easiest to give all that stuff to dom0.

> Next idea is to only have two domains: Dom0 and FW. And then use Dom0
> for workstation.
> What is your sugestions?

Conceptually the simplest would be to have dom0 forward *link level* packets 
to a domU, which can filter them at IP level and then send them back to dom0.  
In this scheme dom0 still receives the packets initially but doesn't do 
anything with them until they've been verified by the domU.  Link-level 
attacks on dom0 could compromise the machine but a compromise of the domU 
will not (although your IP traffic is obviously untrusted then).

A better-performing solution would be to dedicate the network card to the domU 
and have it do link-level and IP level processing, then forward packets to 
dom0 over a virtual interface.  To do this you need to:
* hide the PCI device from dom0 (so it doesn't grab it)
* then assign the device to the domU
* then start a kernel with the network driver in the domU (you could just use 
the xen0 kernel, it's fine)

Crashes of the domU should generally not take down the whole system, so it 
should be quite robust to errors.  dom0 doesn't see the packets at all until 
the firewall has vetted them, so it can be protected rather effectively.  In 
the case of the firewall domain being compromised, however, a "sufficiently 
clever" attacker can probably abuse the DMA engine of the network card to 
"break out" of the domU.

Lots of people are using device assignment with great success.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.