WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Running workstation and firewall on the same hardware

To: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Subject: Re: [Xen-users] Running workstation and firewall on the same hardware
From: "Carl Holtje ;021;vcsg6;" <cwh0803@xxxxxxxxxx>
Date: Mon, 8 Aug 2005 13:22:08 -0400 (EDT)
Cc: Morten Guldager <morten.guldager@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 08 Aug 2005 17:20:31 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200508081737.36596.mark.williamson@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <d3e62a6b0508071107440f8e71@xxxxxxxxxxxxxx> <200508081737.36596.mark.williamson@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On Mon, 8 Aug 2005, Mark Williamson wrote:

> > I'm a paranoid SuSE guy.
>
> That's the most succinct introduction we've had in a while :-)
>
> > Resently I discovered Xen, and thougth that I could use it to combine
> > the workstation and firewall in one piece og hardware.
> >
> > First plan were to create 3 xen domains: Dom0, WS and FW
> >
> > But it seems to be quite a job to the all my fancy hardware available
> > to anything but Dom0
>
> Yep, right now it's easiest to give all that stuff to dom0.
>
> > Next idea is to only have two domains: Dom0 and FW. And then use Dom0
> > for workstation.
> >
> > What is your sugestions?
>
> Conceptually the simplest would be to have dom0 forward *link level* packets
> to a domU, which can filter them at IP level and then send them back to dom0.
> In this scheme dom0 still receives the packets initially but doesn't do
> anything with them until they've been verified by the domU.  Link-level
> attacks on dom0 could compromise the machine but a compromise of the domU
> will not (although your IP traffic is obviously untrusted then).

Maybe I've missed something obvious, but how would you do this?

Thanks!

Carl

- --

"There are 10 types of people in the world: Those who understand binary
and those that don't."

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users