|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] Running workstation and firewall on the same hardware
On Mon, 8 Aug 2005, Mark Williamson wrote:
> > I'm a paranoid SuSE guy.
>
> That's the most succinct introduction we've had in a while :-)
>
> > Resently I discovered Xen, and thougth that I could use it to combine
> > the workstation and firewall in one piece og hardware.
> >
> > First plan were to create 3 xen domains: Dom0, WS and FW
> >
> > But it seems to be quite a job to the all my fancy hardware available
> > to anything but Dom0
>
> Yep, right now it's easiest to give all that stuff to dom0.
>
> > Next idea is to only have two domains: Dom0 and FW. And then use Dom0
> > for workstation.
> >
> > What is your sugestions?
>
> Conceptually the simplest would be to have dom0 forward *link level* packets
> to a domU, which can filter them at IP level and then send them back to dom0.
> In this scheme dom0 still receives the packets initially but doesn't do
> anything with them until they've been verified by the domU. Link-level
> attacks on dom0 could compromise the machine but a compromise of the domU
> will not (although your IP traffic is obviously untrusted then).
Maybe I've missed something obvious, but how would you do this?
Thanks!
Carl
- --
"There are 10 types of people in the world: Those who understand binary
and those that don't."
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|