|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] Running workstation and firewall on the same hardware
> I'm a paranoid SuSE guy.
That's the most succinct introduction we've had in a while :-)
> Resently I discovered Xen, and thougth that I could use it to combine
> the workstation and firewall in one piece og hardware.
>
> First plan were to create 3 xen domains: Dom0, WS and FW
>
> But it seems to be quite a job to the all my fancy hardware available
> to anything but Dom0
Yep, right now it's easiest to give all that stuff to dom0.
> Next idea is to only have two domains: Dom0 and FW. And then use Dom0
> for workstation.
>
> What is your sugestions?
Conceptually the simplest would be to have dom0 forward *link level* packets
to a domU, which can filter them at IP level and then send them back to dom0.
In this scheme dom0 still receives the packets initially but doesn't do
anything with them until they've been verified by the domU. Link-level
attacks on dom0 could compromise the machine but a compromise of the domU
will not (although your IP traffic is obviously untrusted then).
A better-performing solution would be to dedicate the network card to the domU
and have it do link-level and IP level processing, then forward packets to
dom0 over a virtual interface. To do this you need to:
* hide the PCI device from dom0 (so it doesn't grab it)
* then assign the device to the domU
* then start a kernel with the network driver in the domU (you could just use
the xen0 kernel, it's fine)
Crashes of the domU should generally not take down the whole system, so it
should be quite robust to errors. dom0 doesn't see the packets at all until
the firewall has vetted them, so it can be protected rather effectively. In
the case of the firewall domain being compromised, however, a "sufficiently
clever" attacker can probably abuse the DMA engine of the network card to
"break out" of the domU.
Lots of people are using device assignment with great success.
Cheers,
Mark
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|