|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Re: firewalls and Xen
Don't you find it troublesome that all of your domUs can communicate freely with each other? I'm thinking that if one domU is breached, a hacker will have total freedom to poke at any ports on any of the other domUs regardless of the firewall. You are correct, but that's typically how servers are setup in a DMZ in a non-consolidated environment. Each server is responsible for protecting itself from penetration. My firewall's primary goal is to protect your INTERNAL systems from the internet and the DMZ systems. It also provides some protection for the DMZ systems, but if one of them has a hole and gets hacked, you want to make sure they can't get any further than the DMZ. If you want to get all paranoid and isolate each domU from each other, go for it. Use the routed method, and have separate firewall rules for each server. Your firewall will be a little more heavily loaded, but that's the price you pay. Also, keep in mind that XEN currently doesn't support more than three network interfaces per domU, so you end up having to have one firewall for every two domU's. In my opinion, a better solution is be to install shorewall (or whatever firewall package you like) on every domU, so it can protect itself. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |