WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Securing Xen-Base System

To: Gerhard Wendebourg <gw@xxxxxxxxx>
Subject: Re: [Xen-users] Securing Xen-Base System
From: Tim Post <tim.post@xxxxxxxxxxxxxxx>
Date: Tue, 31 Oct 2006 01:55:04 +0800
Cc: Xen Users <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Thu, 02 Nov 2006 13:42:25 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <454616F3.4040507@xxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: Net Kinetics
References: <454616F3.4040507@xxxxxxxxx>
Reply-to: tim.post@xxxxxxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On Mon, 2006-10-30 at 16:14 +0100, Gerhard Wendebourg wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello all,
> 
> since I want to build up a Xen-system with servers in its guest-systems
> reliable running, the question about the securing of the base-system / Dom0.
> 
> What kind of measures can / should be taken for preventing attacks and
> corruption of the system or the hacking from some guest ti the base-system?
> 

Xen brings some new challenges to the table. In particular you must now
deal with "trusted root" and "un-trusted root" .. meaning, do you know
and trust the people who have root access to guest systems?

> Is the network fully secured, if I set up a firewall on the
> eth0-Interface, while the (default-)Xen-bridge is running?
> 

Buttoning down ingress on dom-0 is a great start, as for egress, we go
back to how much do you trust the people who have root access to running
guests. 

I can say, no matter what .. if it malloc()'s or occupies a port and you
don't really need it, get rid of it on dom-0. Restrict root login via
ssh, force V2, don't host public sites , etc .. make dom-0 a vault. One
good brute force SSH attack could keep needed things on dom-0 from
forking if its > 128 MB. Lock down ingress to Xend via iptables, deny
from all and only allow from your own machines. Common sense should tell
you the rest.

Typically I leave dom-0 accessible only via private lan, leaving public
access open on a non xen utility box that also has access to that lan. 

I've also been known to just use a null modem cable and minicom from
another box to manage dom-0.

A little more information about your setup would be helpful ..
suggestions would really depend on that.

I use Xen mostly in the web hosting industry where anyone with $10 and a
valid (or stolen) credit card gets root on a guest .. so my setups would
seem way over-paranoid to most.. an example being pinning IP->MAC for
every guest to prevent one guest from hijacking another's IP, ebtables
on the bridges for rate limiting and snort to help stop spam before it
leaves the box. 

I don't use Shorewall .... nothing against it, but I find with my needs
its easier to write my own scripts.

Best,
-Tim



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>