[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Running workstation and firewall on the same hardware

Mark Williamson wrote:

> the case of the firewall domain being compromised, however, a "sufficiently 
> clever" attacker can probably abuse the DMA engine of the network card to 
> "break out" of the domU.

This is interesting. How robust is the isolation between domains and
what are the possible risks? From what you wrote it seems that allowing
domU access to the hardware is more risky than passing all packets to
domU through dom0.

Say that I've got two domUs - one in DMZ and one in the Intranet,
DMZ-domU has a dedicated NIC, intra-domU uses vif provided by dom0. What
are the risks of breaking out of DMZ to the Intranet?

Michal Ludvig
* Personal homepage: http://www.logix.cz/michal

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.