WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/

Home

xen-users

[Top] [All Lists]

Re: [Xen-users] Ideal(istic) Xen firewall design

from [Martin Maney]

[Permanent Link][Original]

To:	xen-users@xxxxxxxxxxxxxxxxxxx
Subject:	Re: [Xen-users] Ideal(istic) Xen firewall design
From:	Martin Maney <maney@xxxxxxxxx>
Date:	Mon, 15 Aug 2005 07:55:11 -0500
Delivery-date:	Mon, 15 Aug 2005 12:53:28 +0000
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<43002F9D.7000802@xxxxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<200508142130.j7ELUZ7k011456@xxxxxxxxxxxxxxxx> <43002F9D.7000802@xxxxxxxxxxxxx>
Reply-to:	maney@xxxxxxxxx
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mutt/1.5.6+20040907i

On Mon, Aug 15, 2005 at 08:01:01AM +0200, Dirk H. Schulz wrote:
> There is one more reason to put the firewall into a guest system: The 
> guests use the smaller kernels (without hardware support etc.), so there 
> is less possibility of kernel bugs that can be used to crack the 
> firewall. It is more of a statistic perspective but with firewalling 
> everything should be used to avoid leaks, I think.

However, the parts of the kernel that an attacker has leverage on (the
TCP/IP stack and netfilter) are the same whether dom0 or domU.  I'll
grant you the NIC driver, but I refuse to worry greatly about it.  :-)

-- 
There is overwhelming evidence that the higher the level of self-esteem,
the more likely one will be to treat others with respect, kindness, and
generosity. -- Nathaniel Branden


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [Xen-users] Ideal(istic) Xen firewall design, (continued) Message not available Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown Re: [Xen-users] Ideal(istic) Xen firewall design, Dirk H. Schulz Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown Re: [Xen-users] Ideal(istic) Xen firewall design, Dirk H. Schulz Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown Re: [Xen-users] Ideal(istic) Xen firewall design, Dirk H. Schulz RE: [Xen-users] Ideal(istic) Xen firewall design, Mike Tierney Re: [Xen-users] Ideal(istic) Xen firewall design, Martin Maney Re: [Xen-users] Ideal(istic) Xen firewall design, Dirk H. Schulz Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown Re: [Xen-users] Ideal(istic) Xen firewall design, Martin Maney <= Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown Re: [Xen-users] Ideal(istic) Xen firewall design, Mark Williamson Re: [Xen-users] Ideal(istic) Xen firewall design, Nicholas Lee Re: [Xen-users] Ideal(istic) Xen firewall design, Dirk H. Schulz

Previous by Date:	Re: [Xen-users] Failover, John Madden
Next by Date:	Re: [Xen-users] Failover, Matthijs ter Woord
Previous by Thread:	Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown
Next by Thread:	Re: [Xen-users] Ideal(istic) Xen firewall design, Marcus Brown
Indexes:	[Date] [Thread] [Top] [All Lists]

This site is hosted by Citrix