[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] RE: If a DomU was compramised..


  • To: <matt@xxxxxxxxxxxxxxxxxx>
  • From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
  • Date: Thu, 20 May 2010 16:24:43 +0100
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 20 May 2010 08:28:12 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: Acr4MFPmZ9GBmZEHSByBI2vs8NsHOQAAD5qW
  • Thread-topic: [Xen-users] RE: If a DomU was compramised..

Well, the system isn't set up yet, but when I get round to it, I was thinking of just mapping a physical NIC to the dom0 for admin? Would that do?
The only ports that would be open are the ones required for management tools to work.
 
I'm just trying to figure out that if the DomU was compramised, could some "break out" of it and access the Dom0?


From: Matthew Law [mailto:matt@xxxxxxxxxxxxxxxxxx]
Sent: Thu 20/05/2010 16:22
To: Jonathan Tripathy
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] RE: If a DomU was compramised..


On Thu, May 20, 2010 2:47 pm, Jonathan Tripathy wrote:
> Hmm ok that worries me a bit...
>
> I thought that Xen is a type-1 hypervisor, so why do they say that VMWare
> is more suitable?
>
> Surely VMWare's *nix "console" abailable from the VGA port (or ssh if you
> hack it) is equivalent to the Dom0 in Xen? Or have I got the whole concept
> of a Dom0 wrong?

I suppose the bottom line is, does anyone who cannot be trusted have
access to the dom0?  My experience of PCI compliance people has been that
they often don't understand the situation so use 'no' as a standard
answer, which is what I was rather poorly eluding to.

Xen IS secure and definitely as secure if not more so than VMWare's
implementation *if* you design and implement it securely.  Auditing types
like to have simple boxes to tick and would rather not get into the
technicalities of bridging and firewall rules, so they generally say 'no'.

I am involved with a company that holds limited medical data and the
auditors flatly refuse to accept any kind of virtualised setup at all
despite having no technical reasoning to back up that decision.


Cheers,

Matt.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.