[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen Security



On Friday 16 July 2010 11:24:08 Jonathan Tripathy wrote:
> On Fri, Jul 16, 2010 at 3:32 PM, Jonathan Tripathy <jonnyt@xxxxxxxxxxx> 
wrote:
> > I'm guessing the same risks apply to Xen as they do
> > VMWare?
> 
> in general, yes. As for vendor support, Redhat has been very
> responsive in fixing whatever security bug that comes up (like
> http://www.securitytracker.com/alerts/2009/Oct/1022977.html), so if
> you're concerned about that, I suggest using RHEL/Centos and their
> bundled Xen/kernel-xen version (which might be somewhat old, but
> should be sufficient for most uses).
> 
> I also suggest you do whatever security measures you normally do in
> your normal, non-virtual environment. Think of domU as just another
> server, and dom0 as SAN/switch/router/firewall.
> 
> For example, if you never bother to rewrite a SAN's LUN with 0s before
> reusing it on another host, then I don't see why you should bother
> writing 0s to an LV that will be used by Xen. Another example, if
> you're comfortable having a single firewall box and switch used by all
> traffic on your network (using vlans), then I don't see why you should
> treat Xen networking differently.
> 
> --
> Fajar
> 
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
> -----
> 
> 
> Hi Fajar,
> 
> I am using CentOS 5.5 with the stock Xen kernel that came with it, however
>  I'm using Xen 3.4.2 from gitco.de - think this is safe enough?
> 
> I'm fairly sure that my network setup is secure. I'm using iptables to
>  prevent IP spoofing, and using ebtables to prevent MAC spoofing. A
>  firewall DomU (pfsense) has WAN, LAN, DMZ and PUBLIC interfaces. WAN and
>  PUBLIC are bridged (For the customers' public VMs). The DMZ subnet only
>  allows certain needed incoming ports from the internet (via NAT port
>  forwarding), and outbound is also restricted to what's only needed. The
>  LAN subnet doesn't allow any incoming ports from the internet. Ports
>  between DMZ and LAN are also only open on a "need to" basis. I've been
>  told that since my Public and DMZ bridges in the Dom0 have no IP
>  addresses, it is impossible for the Dom0 to route traffic between them
>  without going through the firewall DomU.
> 
> What you think?
> 
> Thanks
> 

Jonathan, I will "psychologically" shortcut your question :-)   : you actually 
really want to do this and you need approval by someone of the list. This is 
not a good way to handle this matter. Think of the consequences of a security 
breach, then think about the expenses to avoid this and then come to a 
conclusion. What you are doing is bottom-up: you have your infrastructure and 
you wonder if you can bend it in such a way it will give you peace of mind. 


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.