[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Ideal(istic) Xen firewall design

On Mon, Aug 15, 2005 at 09:34:10AM +1200, Mike Tierney wrote:
> But it is still tempting to just do away with the seperate firewall vm and
> do all the firewalling in Dom0!

That seems perfectly reasonable to me for a filtering router sort of
firewall with no exposed services.  Unless you're going to make dom0
itself console-only access (with good physical security on that
access), I can't see where it does much good to push the filtering into
a domU.  Of course if you're shutting down and restarting the filtering
firewall, you'd probably better be accessing dom0 from console
anyway.  :-/

Frankly, if you have *any* non-console access to dom0 (or poor physical
security), I would expect that to be a bigger threat than a break-in
through the kernel's IP stack/netfilter.  But there's no one right
answer - it really depends on your specific threat model and all the
rest of that stuff that we all prefer not to quantify because it's so
much work to get results that you know have a lot of best guesses and
estimates in 'em...  But without that judging the tradeoff is *really*

In software as well as in modern art,
the distinction between intentional and accidental omissions
is often difficult to make.  -- Andrew Hunt & David Thomas

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.