Am Donnerstag, den 19.05.2005, 19:49 -0400 schrieb John A. Sullivan III:
> Ah, perhaps I didn't make something sufficiently clear. Although
> several domUs will have access to the partition, only one should have it
> mounted at any time. In other words, the system first mounts it read
> only simply to check to see if anyone else has it mounted and, if they
> do not, they remount it as rw. There is the possibility that, in
> between the check and the remount as rw, something could sneak in. And
> there is the brief moment when it is mounted ro that another device
> could be writing to it in which case it is immediately unmounted.
>
> Network exchange with a big firewall does sound technically safer from
> corruption even if less safe from intrusion. Thanks - John
[...]
Do you want to protect the CA domU only from the outside world, or has
it to be protected from the other (networked, hence potentially r00ted)
domUs (with which the CA domU exchanges data), too?
In the latter case, the other domU could try to attack the filesystem
driver of the CA domU by writing malicious fs metadata (like currupt
inode tables/superblocks/whatever) to that partition. I'd consider a nfs
relay between them safer!
And you could make firewalling much easier if you use a "virtual DMZ"
toppology (all interfaces marked with a * shall use private rfc1918 ip
addresses):
evil internet
|
|
dom0-eth0
|
|xen-br0
|
dom1-eth0
networked domU, maybe compromised, has to exchange data with dom3
dom1-eth1*
|
|xen-br1 (has no ip in dom0)
|
dom2-eth0*
nfs-server, no ip-forwarding
dom2-eth1*
|
|xen-br2 (has no ip in dom0)
|
dom3-eth0*
CA-domU
Even without any firewalling: to break into the CA domU, an attacker has
to overtake dom1, then the nfs-service on dom2 and finally the nfs-
client on dom3.
I think it would be easier to attack the sshd on dom0 to compromise them
all ;)
/nils.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home