[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] domU security

Hi William,

William schrieb:

When one rents a domU, what are some of the security concerns to have? I haven't used Xen at all, but am considering to purchase a domU. I guess the administrator of the xen server (dom0) can read all information (hard drive) on all domUs, is this correct? What would be some countermeasures? Lets say I don't want them reading the emails in my mail server.

Besides what Mathias already answered (you have to trust your provider or be your own provider) there is several things you can do:

1. Rent a NetBSD domU that runs on a linux host. That makes it at least more difficult to mount the file system of your domU into dom0. 2. Use NetBSDs cryptographic file system pseudo device to encrypt your file system (at least the parts you want to keep secret).
3. Use TLS for all of your network communication.

All these steps make it more difficult to peep into your data, but not impossible.

Concerning the phrase "trust your provider" you have to consider: Even renting hardware does not give you real security, because the people at the provider can reboot your server at night with a knoppix cd and configure access for later.

Perhaps you should make a list of what exactly you want to keep private and then we could discuss other means of doing this.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.