|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Re: Network isolation - PCI passthrough question
Le 21/12/2010 19:53, Simon Hobson a écrit : > Jean Baptiste FAVRE wrote: > >> I understand what you mean. But even if dom0 has no interface bridged, I >> think I'll be able to listen to network traffic, no ? > ... >> I want to mitigate consequences if dom0 get compromised, that's why I'm >> trying to isolate network. > > All traffic passes through a process in Dom0 - that's just the way it's > been built. But bear this in mind, if your Dom0 is compromised then > EVERYTHING running on that physical machine is also compromised. If you > control Dom0, you have access to all the guests, their memory, and their > disks - as well as their network traffic. > > In other words, worrying about someone being able to sniff network > traffic when they've compromised your Dom0 is a bit like the captain of > the Titanic worrying about someone helping themselves at the bar while > the crew are distracted by an iceberg ! Hello Simon, Well, didn't saw things like that, but must admit you're right :) And since I don't want to be the captain of the Titanic, I think protecting dom0 from direct access with my firewall domU is better than nothing. Thanks all of you for helping me better understanding of Xen ! I'll now make my tests, write documentation and publish it. Will keep you updated. Regards, JB _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |