On Mon, 2006-10-30 at 16:14 +0100, Gerhard Wendebourg wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
>
> since I want to build up a Xen-system with servers in its guest-systems
> reliable running, the question about the securing of the base-system / Dom0.
>
> What kind of measures can / should be taken for preventing attacks and
> corruption of the system or the hacking from some guest ti the base-system?
>
Xen brings some new challenges to the table. In particular you must now
deal with "trusted root" and "un-trusted root" .. meaning, do you know
and trust the people who have root access to guest systems?
> Is the network fully secured, if I set up a firewall on the
> eth0-Interface, while the (default-)Xen-bridge is running?
>
Buttoning down ingress on dom-0 is a great start, as for egress, we go
back to how much do you trust the people who have root access to running
guests.
I can say, no matter what .. if it malloc()'s or occupies a port and you
don't really need it, get rid of it on dom-0. Restrict root login via
ssh, force V2, don't host public sites , etc .. make dom-0 a vault. One
good brute force SSH attack could keep needed things on dom-0 from
forking if its > 128 MB. Lock down ingress to Xend via iptables, deny
from all and only allow from your own machines. Common sense should tell
you the rest.
Typically I leave dom-0 accessible only via private lan, leaving public
access open on a non xen utility box that also has access to that lan.
I've also been known to just use a null modem cable and minicom from
another box to manage dom-0.
A little more information about your setup would be helpful ..
suggestions would really depend on that.
I use Xen mostly in the web hosting industry where anyone with $10 and a
valid (or stolen) credit card gets root on a guest .. so my setups would
seem way over-paranoid to most.. an example being pinning IP->MAC for
every guest to prevent one guest from hijacking another's IP, ebtables
on the bridges for rate limiting and snort to help stop spam before it
leaves the box.
I don't use Shorewall .... nothing against it, but I find with my needs
its easier to write my own scripts.
Best,
-Tim
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|