WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Re: firewalls and Xen

To: "Patrick Wolfe" <pwolfe@xxxxxxxxxxxxxx>
Subject: [Xen-users] Re: firewalls and Xen
From: "Molle Bestefich" <molle.bestefich@xxxxxxxxx>
Date: Fri, 7 Jul 2006 18:46:25 +0200
Cc: Luke <secureboot@xxxxxxxxx>, Daniel Goertzen <goertzen@xxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 07 Jul 2006 09:47:16 -0700
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qRpW/8FyK80EWRHIEVpRt1HdASa936y+5f5TG8yFi57HkPBJn+2mtGsv/5b86AGUdaFNPEjGzFPhJOzlhaoDRNOZfXW1h7POTvtIK0MDMeyY1/+3gGfiVDuYI3eqYjFghVcENU0xfwHvRkRPd1orycL18OKlmDhsO9ag+9XiwH8=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <44AE8E6A.60700@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <796A7B7A-174F-4A38-865B-09D316F8CAE8@xxxxxxxxx> <43F1F6EC.4010207@xxxxxxxx> <3988B614-F9C1-4DEB-A97C-65AF8E2F8E06@xxxxxxxxx> <43F20903.5050506@xxxxxxxx> <1139939476.19273.45.camel@xxxxxxxxxxxxxxxxxxxxx> <62b0912f0607070921m6d23370dlb0d1af3709ca34b4@xxxxxxxxxxxxxx> <44AE8E6A.60700@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Patrick Wolfe wrote:
You are correct, but that's typically how servers are setup in a DMZ in
a non-consolidated environment.  Each server is responsible for
protecting itself from penetration.  My firewall's primary goal is to
protect your INTERNAL systems from the internet and the DMZ systems.  It
also provides some protection for the DMZ systems, but if one of them
has a hole and gets hacked, you want to make sure they can't get any
further than the DMZ.

Ok.

If you want to get all paranoid and isolate each domU from each other,
go for it.  Use the routed method, and have separate firewall rules for
each server.

Where would the router sit?
A domU or in dom0 as per your previous diagram?
In the dom0 case, wouldn't you suddenly get traffic hitting dom0's IP stack?

Your firewall will be a little more heavily loaded, but
that's the price you pay.  Also, keep in mind that XEN currently doesn't
support more than three network interfaces per domU, so you end up
having to have one firewall for every two domU's.

Ok.  I use VLANs to separate the domUs, and since the VLANs terminate
in a virtual interface, I don't suffer from this limitation.

In my opinion, a better solution is be to install shorewall (or whatever
firewall package you like) on every domU, so it can protect itself.

It does have the advantage that it's easier for each domU to define
it's own rules.  But you sort of loose a lot of central management, I
think.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>