WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] Re: Live Migration Config

from [Charles Duffy] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Re: Live Migration Config
From: Charles Duffy <cduffy@xxxxxxxxxxx>
Date: Sat, 29 Oct 2005 22:00:00 -0500
Delivery-date: Sun, 30 Oct 2005 02:59:51 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200510300143.56718.mark.williamson@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <004001c5dbf5$45ccfe60$600318ac@xxxxxxxxxxxxxxxx> <200510300143.56718.mark.williamson@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.4 (Windows/20050908) 
Mark Williamson wrote:
Xend trusts anything the incoming config tells it... Could get nasty very quickly from both security and DoS perspectives.
I haven't heard objections raised to my suggestion of running a VPN over your regular network for the purpose. This allows encryption, validation and access control; the thing it lacks is *fine-grained* control -- a Dom0 is either part of the VPN or it isn't -- but this shouldn't be a concern if your Dom0s are adequately secured. Ideally, they should be accessible *only* via VPN connections or via direct console communication. If you need remote administration, do that -- but guard the key zealously.
Since your Dom0s are accessible *only* via console or VPN access from another system, and the other VPNned systems are likewise only accessible via console or VPN (except for your administrative system), there's not much by way of risk that one of your Dom0s *can* be penetrated, so long as your console access is physically secure.
So -- so long as your Dom0s are secured via a VPN with a firewall preventing all non-VPN access, I really don't see the concern being as substantial as you make it to be. 


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Re: SSL TOE, Mark Williamson
Next by Date:  [Xen-users] beep in domU, choy
Previous by Thread:  Re: [Xen-users] Live Migration Config, Mark Williamson
Next by Thread:  Re: [Xen-users] (securing dom0 - firewall rules. was: ) Re: Live Migration Config, Tom Brown
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy