Hi everyone,
What iv decided to do is just install a firewall in a DomU which has access to a physical NIC (connected to ISP) via PCI passthrough. The rest will all be internal bridges with another DomU (acting as a terminal server) having direct access to the other physical NIC which thin clients connect to.
Management access to Dom0 will be via a third physical NIC.
Seem Fair?
Thanks
Sent from my iPhone Matthew Law wrote:On Thu, May 20, 2010 4:47 pm, Vern Burke wrote:
Anything is possible, but I think it's unlikely. Given the number of VMs
on Amazon, if this was a real problem, we'd have seen it long before
this.
Most likely way to get hacked is still what it's always been, lousy admin
practices.
I agree with Vern although I would go as far as to say that even with
exceptionally good security and admin practices in place I think that if
someone really wants to get in and has the skill, they will, eventually.
Buy more insurance! :-P
Cheers,
Matt
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
Just as an aside, we also use ossec-hids (client/server setup) for anyhost that has the potential for being compromised (web servers,generally, but others apply). I've not done this for our Dom0's,however, because the only access to them is administrative. (ssh fromabout 3 addresses)-- --Steven G. Spencer, Network AdministratorKSC Corporate - The Kelly Supply Family of CompaniesOffice 308-382-8764 Ext. 231Mobile 308-380-7957
|
