WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Running workstation and firewall on the same hardware

To: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Subject: Re: [Xen-users] Running workstation and firewall on the same hardware
From: Michal Ludvig <michal@xxxxxxxx>
Date: Tue, 09 Aug 2005 10:37:55 +1200
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 08 Aug 2005 22:36:21 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200508081737.36596.mark.williamson@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <d3e62a6b0508071107440f8e71@xxxxxxxxxxxxxx> <200508081737.36596.mark.williamson@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)
Mark Williamson wrote:

> the case of the firewall domain being compromised, however, a "sufficiently 
> clever" attacker can probably abuse the DMA engine of the network card to 
> "break out" of the domU.

This is interesting. How robust is the isolation between domains and
what are the possible risks? From what you wrote it seems that allowing
domU access to the hardware is more risky than passing all packets to
domU through dom0.

Say that I've got two domUs - one in DMZ and one in the Intranet,
DMZ-domU has a dedicated NIC, intra-domU uses vif provided by dom0. What
are the risks of breaking out of DMZ to the Intranet?

Michal Ludvig
-- 
* Personal homepage: http://www.logix.cz/michal

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users