[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] RE: If a DomU was compramised..


  • To: <matt@xxxxxxxxxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
  • Date: Thu, 20 May 2010 14:47:10 +0100
  • Cc:
  • Delivery-date: Thu, 20 May 2010 06:50:32 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: Acr4HePim4rc+GAmQu6ocKalQFdhiwABQ4Og
  • Thread-topic: [Xen-users] RE: If a DomU was compramised..

Hmm ok that worries me a bit...
 
I thought that Xen is a type-1 hypervisor, so why do they say that VMWare is more suitable?
 
Surely VMWare's *nix "console" abailable from the VGA port (or ssh if you hack it) is equivalent to the Dom0 in Xen? Or have I got the whole concept of a Dom0 wrong?


From: Matthew Law [mailto:matt@xxxxxxxxxxxxxxxxxx]
Sent: Thu 20/05/2010 14:10
To: Jonathan Tripathy
Subject: RE: [Xen-users] RE: If a DomU was compramised..


On Thu, May 20, 2010 1:41 pm, Jonathan Tripathy wrote:
> Ok so to sum up, it's no worse than VMWare ESXi?

Exactly.  However, if you were to ask a PCI DSS assessor they would
probably give you the scripted answer that Xen is not a suitable candidate
for a PCI DSS environment despite the fact that if configured properly it
is no more insecure than ESXi or a hardware box.

Another option to increase separation between the dom0 and domUs is to
configure the dom0 to only be accessible on one physical interface which
is and then have another public interface with no address which is bridged
for the domUs.  Unless I am mistaken, this is the default setup for XCP
and XenServer when multiple interfaces are available.


Cheers,

Matt.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.