[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Re: firewalls and Xen



Don't you find it troublesome that all of your domUs can communicate
freely with each other?

I'm thinking that if one domU is breached, a hacker will have total
freedom to poke at any ports on any of the other domUs regardless of
the firewall.

You are correct, but that's typically how servers are setup in a DMZ in a non-consolidated environment. Each server is responsible for protecting itself from penetration. My firewall's primary goal is to protect your INTERNAL systems from the internet and the DMZ systems. It also provides some protection for the DMZ systems, but if one of them has a hole and gets hacked, you want to make sure they can't get any further than the DMZ.

If you want to get all paranoid and isolate each domU from each other, go for it. Use the routed method, and have separate firewall rules for each server. Your firewall will be a little more heavily loaded, but that's the price you pay. Also, keep in mind that XEN currently doesn't support more than three network interfaces per domU, so you end up having to have one firewall for every two domU's.

In my opinion, a better solution is be to install shorewall (or whatever firewall package you like) on every domU, so it can protect itself.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.