|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Re: Creating a DMZ domU
On Wed, 2008-07-16 at 07:19 -0400, Christopher Isip wrote: > > > > > > > > Normally not. There is no way for the 'outside' network to > address your dom0 machine. If it does not have an IP address > on the external bridge that is > > > If the dmz is compromised though, the attacker would have access to > the dmz bridge and all hosts connected to it right?. This should > exclude dom0 since there is no interface in dom0 attached to the dmz > bridge (xenbrD). Is this correct? > > > [root@mymainserver ~]# brctl show > bridge name bridge id STP enabled interfaces > eth0 8000.00146c30c25a no vif8.0 > vif7.0 > vif6.0 > vif5.0 > vif4.0 > vif3.0 > vif2.0 > vif1.0 > peth0 > virbr0 8000.000000000000 yes > xenbrD 8000.feffffffffff no vif11.0 > vif2.1 > > I believe in the above vif1.0 is probably attached to the asterisk > domU while vif2.1 is to the dmz domU though I dont know how to check > for sure. I did not manually enslave a dom0 interface to the xenbrD > bridge when I created it. > > Thanks > Chris <snip> Hmm . . . I'm not sure how this would work. I suppose it might be best to pretend to be the bad guy. If you run a sniffer (tcpdump, wireshark) in promiscuous mode on the DMZ server, what do you see? Anything that would give clues to the internal network? If you have console access on the DMZ server and you know where you want to go on the internal network (from sniffing the wire), can you get there unfettered? Just a few thoughts. Let me know how you fare :) - John > -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx http://www.spiritualoutreach.com Making Christianity intelligible to secular society _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |