[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Isolated network

  • To: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>, <Xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: Jeff Sturm <jeff.sturm@xxxxxxxxxx>
  • Date: Fri, 4 Jun 2010 12:24:54 -0400
  • Cc:
  • Delivery-date: Fri, 04 Jun 2010 09:27:28 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: AcsD5l1okDBDeJBnT4iuJMV0LSr0mgAAIn9IAAQxvTAAAHCAKwAB/3Ww
  • Thread-topic: [Xen-users] Isolated network

>>> Sorry, I think I worded my post wrong. What I meant was is there a
>>> to make sure that the DomUs can't access the Dom0, i.e. so they
>>> are on an isolated network. By default in virt-manager, the Dom0
>>> gets attached to each bridge created...

>> Simply don't assign an IP to the bridge device in your dom0.

> And this is secure? Could I make it any better by using ebtables or
anything like that?

You may want to do other things like disable IP forwarding and make sure
there's nothing else on your network that will route from your domU to
your dom0 network.  If your dom0 doesn't have separate physical
interfaces, creating VLANs to segregate the networks is helpful.

I can't say whether this is bulletproof, since I don't follow much
research on Xen security.  But it's a starting point, and the one I
would choose.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.