[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Ideal(istic) Xen firewall design

On Mon, Aug 15, 2005 at 08:01:01AM +0200, Dirk H. Schulz wrote:
> There is one more reason to put the firewall into a guest system: The 
> guests use the smaller kernels (without hardware support etc.), so there 
> is less possibility of kernel bugs that can be used to crack the 
> firewall. It is more of a statistic perspective but with firewalling 
> everything should be used to avoid leaks, I think.

However, the parts of the kernel that an attacker has leverage on (the
TCP/IP stack and netfilter) are the same whether dom0 or domU.  I'll
grant you the NIC driver, but I refuse to worry greatly about it.  :-)

There is overwhelming evidence that the higher the level of self-esteem,
the more likely one will be to treat others with respect, kindness, and
generosity. -- Nathaniel Branden

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.