WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Re: Creating a DMZ domU

from [Christopher Isip] [Permanent Link][Original]
To: "John A. Sullivan III" <jsullivan@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Re: Creating a DMZ domU
From: "Christopher Isip" <cmisip@xxxxxxxxx>
Date: Tue, 15 Jul 2008 18:57:11 -0400
Cc: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 15 Jul 2008 15:58:06 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=37wfK3B8b+gj0KXRcYJTDmaOjR7JHGwcDqkubW3rLBg=; b=gYwp59x2G8So2y+S3bCd13isMEoUXrJjtgUtRw8AwaJ23+RjpHim0vB8sQ1uafCaIz 66NYqo1e06lB44asmHk+hDl9ryAW3LKe1mMe/t0Mj9kou2m3sIuZeJwWxny6cBlpjx01 lJ/6+wf5qAYv0jhqY3RiNcs2TrKPdZHuBDtUc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=MpEmluR7VA/B7HZpAZayEis4heN3z+PFhEsExpKT2cLXayT+b2v5zIGpwDmzThUO1O Q4APmXSoVjTothuNUcfHAQbA9Lneczyq1LFNUmBdXli9A13ksgyq6PBlm0An2Md5qt2I yCiM3QhCjcpxSDcd2ZY731MOKXzUIANpsZSGI=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1216031074.7629.9.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4bca5f6c0807122044k5cb40137pb2cec30631f2a6e2@xxxxxxxxxxxxxx> <4bca5f6c0807132006m2198486dtc44482ca7ab1449a@xxxxxxxxxxxxxx> <1216031074.7629.9.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx


On Mon, Jul 14, 2008 at 6:24 AM, John A. Sullivan III <jsullivan@xxxxxxxxxxxxxxxxxxx> wrote:
On Sun, 2008-07-13 at 23:06 -0400, Christopher Isip wrote:
>
>
> On Sat, Jul 12, 2008 at 11:44 PM, Christopher Isip <cmisip@xxxxxxxxx>
> wrote:
>         I am going to try to create a domU webserver.  My current
>         setup is dom0 running Centos 5.1 with two ethernet interfaces.
>         One is pcibacked to a asterisk domU ( and hence invisible in
>         dom0 )and serves as the external interface there.  The
>         Asterisk domU is my gateway to the internet, default route,
>         dhcpd server, dns server and ip masquerade server as well.
>         The second interface in dom0 is the bridged interface to which
>         all the domUs are connected (including the Asterisk domU).
>         Everything seems to be working fine.  I have a simple two
>         interface shorewall configuration in the Asterisk domU.
>
>         My plan is to create a webserver domU and have shorewall run
>         in it as well.  The domU will have default drop policies for
>         all incoming and outgoing connections.  There will be a rule
>         to allow incoming ssh and outgoing ssh.  There will be a rule
>         for allowing incoming http as well. The webserver domU will
>         only have one interface, and that is the bridged interface
>         from domO.
>
>         In the Asterisk domU, I can write a DNAT rule to port forward
>         http connections from the internet to the webserver domU.
>
>         It seems that this should work If xen domUs really behave as
>         if they are independent LAN hosts which so far they have in my
>         setup.  My only question is how secure is this?.  Incoming
>         connections from the internet for http port will be forwarded
>         to a bridged interface. Or maybe this is where things will
>         break.
>
>         Anybody care to comment?
>
>             Thanks
>         Chris
>
> I just realized that iptables on a dmz is useless.  If an attacker
> gains access, the iptables rules could be rewritten and the dmz could
> be used to access the network.  Rather the other hosts need to have
> default rejectd policies for the DMZ host.  But I would rather not
> implement a firewall for each of the other hosts.  My thinking is that
> perhaps I should not give the DMZ host a vif interface that is bridged
> to a physical ethernet device.  If its possible to create a bridge
> interface without any physical ethernet cards attached to it, I could
> then present vif1 to the Asterisk domU and vif2 to the DMZ and have
> the Asterisk domU be the gateway to the rest of the lan and domUs.  I
> would simply convert to a three interface shorewall configuration in
> the Asterisk domU with one interface net, the other local and the
> third DMZ.
>
> Chris
<snip>
We have done quite a bit of this in our work on the ISCS network
security management project (http://iscs.sourceforge.net).  However, our
preference is always for a separate physical device for the Internet
gateway both for security and for management.  If something happens to
the dom0, we still have a way into the internal network to allow us to
try to troubleshoot the dom0 without sending anyone on site.

When severe budget constraints force us to use a single device, we've
always done this with three interface cards (Internet, internal and DMZ)
so packets moving from one network to the other must pass through
iptables and a user who has compromised the firewall cannot sniff the
physical device for other logical networks.  We usually also lock down
the dom0 to only allow ssh.

Of course, if someone has compromised the firewall, one is probably in
pretty serious trouble already so we try to run some form of HIDS (Host
Intrusion Detection System) on our firewalls as well.  Hope this helps -
John
>
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


I managed to get things up and running.  I used three interfaces for the Asterisk domU : external (internet), local (eth0 bridge), dmz (bridge with no physical nic).  Seems to be working fine and I can access the dmz webserver from the internet.  My other question would be: is dom0 in danger since the dmz bridge is created in dom0 and there is really no firewalling there. 

Thanks
Chris

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] "XENBUS: Device with no driver" errors on Debian, Ben Firshman
Next by Date:  Re: [Xen-users] GPLPV but network problem, jim burns
Previous by Thread:  Re: [Xen-users] Re: Creating a DMZ domU, John A. Sullivan III
Next by Thread:  Re: [Xen-users] Re: Creating a DMZ domU, Jeroen Torrekens
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy