WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] domU security

from [Dirk H. Schulz] [Permanent Link][Original]
To: William <wcoolnet@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] domU security
From: "Dirk H. Schulz" <dirk.schulz@xxxxxxxxxxxxx>
Date: Tue, 07 Mar 2006 09:43:29 +0100
Delivery-date: Tue, 07 Mar 2006 08:44:52 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <8EEC3F15-EB0F-459E-8E87-3F2D185F59B4@xxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <8EEC3F15-EB0F-459E-8E87-3F2D185F59B4@xxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (Macintosh/20050923) 
Hi William,

William schrieb:
When one rents a domU, what are some of the security concerns to have? I haven't used Xen at all, but am considering to purchase a domU. I guess the administrator of the xen server (dom0) can read all information (hard drive) on all domUs, is this correct? What would be some countermeasures? Lets say I don't want them reading the emails in my mail server.
Besides what Mathias already answered (you have to trust your provider or be your own provider) there is several things you can do:
1. Rent a NetBSD domU that runs on a linux host. That makes it at least more difficult to mount the file system of your domU into dom0. 2. Use NetBSDs cryptographic file system pseudo device to encrypt your file system (at least the parts you want to keep secret). 
3. Use TLS for all of your network communication.
All these steps make it more difficult to peep into your data, but not impossible.
Concerning the phrase "trust your provider" you have to consider: Even renting hardware does not give you real security, because the people at the provider can reboot your server at night with a knoppix cd and configure access for later.
Perhaps you should make a list of what exactly you want to keep private and then we could discuss other means of doing this. 

Dirk

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Versions dilemma: xen 3.0 for custom-2.6.9 on EM64T., Ernst Bachmann
Next by Date:  [Xen-users] masquarading traffic from domU, Christian Hobelsberger
Previous by Thread:  [Xen-users] domU security, William
Next by Thread:  Re: [Xen-users] domU security, Mark Williamson
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy