[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Security in Virtual Machine

  • To: xen-users@xxxxxxxxxxxxx
  • From: Alexandre Kouznetsov <alk@xxxxxxxxxx>
  • Date: Mon, 20 May 2013 17:23:20 -0500
  • Delivery-date: Mon, 20 May 2013 22:24:31 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>


El 20/05/13 16:51, Alberto escribió:
I have a HOST (*/Server Fisico/*) connected to internet. It have 2
network cards, the first one (*/eth0/*) connected to the router, another
(/*eth1*/) is connected to LAN.
/*eth1*/ is bridged to virtual machines network, and one of them
(*/virtual1/*) have an HTTP Server. Everything is running correctly.
I will assume that your HOST server is running running Xen Dom0.
Probably, it is also acting as a router between 192.168.1.X and 192.168.2.X, that makes DNAT and firewall to run within the same Dom0.

I have IPTABLES Firewall running on the HOST with DNAT forwarding HTTP
traffic to /*Virtual1*/. I have IPTABLES Rules in HOST, for block some
IPs that give me problems, but these rules not protect to /*Virtual1*/.
All HTTP traffic is forwarded to /*Virtual1*/, even the source IP is
blocked for IPTABLES rules.
Vrtual1 is probably a DomU running on the same HOST.

What happens here, is that there might be a iptables rule, matching the unwelcome incoming connection, that is evaluated before the rules that intend to block that connection. Once it is matched, the decision ACCEPT is made and no other rule is evaluated. To make sure, a careful inspection of "iptables -L -v" is needed.

Please note that Xen Dom0's firewall need to be quite permissive in order to make network communication to work. A fine configuration is possible, but fairly tricky to set up, and even more tricky to maintain.

I had an attack, and I couldn't block the HTTP traffic about
/*Virtual1*/, the IPTABLES rules not affect it.

What can I do for give security to Virtual machines?
The first recommendation is to give security to your Dom0 machine, do not expose it directly to your DMZ network. Your advantage here is that you have 2 network cards, so you can make a good separation. Second, avoid using the dom0 as router/firewall, Xen's own iptables rules make things very confusing, it's easer to leave Xen's to Xen and do the firewalling on a dedicated VM, even within the same physical box.

I would suggest to reconsider the network topology.
1. Let's say your "Servidor Fisico" had a bridge xenbr0 containing eth0, and xenbr1 containing eth1. Make it not to have any IP on xenbr0 (exposed), only on xenbr1 (internal). 2. Set up a virtual machine to act as router, make it have one interface within xenbr0 and another in xenbr1. 3. Make this virtual machine to route and NAT traffic between Internet and internal network, the same machine may act as DHCP server and DNS for your internal network. Your Virtual1 would be treated just as another host in your internal network.

This is a fairly simple but yet flexible setup, it will allow you keep things clear and separated one from another.


Alexandre Kouznetsov

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.