[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Running workstation and firewall on the same hardware

On Mon, 8 Aug 2005, Mark Williamson wrote:

> > I'm a paranoid SuSE guy.
> That's the most succinct introduction we've had in a while :-)
> > Resently I discovered Xen, and thougth that I could use it to combine
> > the workstation and firewall in one piece og hardware.
> >
> > First plan were to create 3 xen domains: Dom0, WS and FW
> >
> > But it seems to be quite a job to the all my fancy hardware available
> > to anything but Dom0
> Yep, right now it's easiest to give all that stuff to dom0.
> > Next idea is to only have two domains: Dom0 and FW. And then use Dom0
> > for workstation.
> >
> > What is your sugestions?
> Conceptually the simplest would be to have dom0 forward *link level* packets
> to a domU, which can filter them at IP level and then send them back to dom0.
> In this scheme dom0 still receives the packets initially but doesn't do
> anything with them until they've been verified by the domU.  Link-level
> attacks on dom0 could compromise the machine but a compromise of the domU
> will not (although your IP traffic is obviously untrusted then).

Maybe I've missed something obvious, but how would you do this?



- --

"There are 10 types of people in the world: Those who understand binary
and those that don't."

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.