[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Ideal(istic) Xen firewall design

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Martin Maney <maney@xxxxxxxxx>
Date: Mon, 15 Aug 2005 07:55:11 -0500
Delivery-date: Mon, 15 Aug 2005 12:53:28 +0000
List-id: Xen user discussion <xen-users.lists.xensource.com>

On Mon, Aug 15, 2005 at 08:01:01AM +0200, Dirk H. Schulz wrote:
> There is one more reason to put the firewall into a guest system: The 
> guests use the smaller kernels (without hardware support etc.), so there 
> is less possibility of kernel bugs that can be used to crack the 
> firewall. It is more of a statistic perspective but with firewalling 
> everything should be used to avoid leaks, I think.

However, the parts of the kernel that an attacker has leverage on (the
TCP/IP stack and netfilter) are the same whether dom0 or domU.  I'll
grant you the NIC driver, but I refuse to worry greatly about it.  :-)

-- 
There is overwhelming evidence that the higher the level of self-esteem,
the more likely one will be to treat others with respect, kindness, and
generosity. -- Nathaniel Branden


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- RE: [Xen-users] Ideal(istic) Xen firewall design
  - From: Mike Tierney
- Re: [Xen-users] Ideal(istic) Xen firewall design
  - From: Dirk H. Schulz

Prev by Date: Re: [Xen-users] Failover
Next by Date: Re: [Xen-users] Failover
Previous by thread: Re: [Xen-users] Ideal(istic) Xen firewall design
Next by thread: Re: [Xen-users] Ideal(istic) Xen firewall design
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.