WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Is using w! safe to share data between domains?

To: Xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Is using w! safe to share data between domains?
From: Fernando Maior <fernando.souto.maior@xxxxxxxxx>
Date: Fri, 20 May 2005 15:55:13 -0300
Delivery-date: Fri, 20 May 2005 18:54:40 +0000
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=l1KldsNhYkYzu3W1tCMtACuF3nIcq+cFoIxgUhTe0GrVpa0KtyMSbWNL7EXC+RkaaBUJbeGtsoCEwQ9/tDVxg8gkcxJhfY+Xz9WvbYt9wBsZH0SAjV/LZwQre+ihTSoEclxnd9r4yY+ULpgbAhRD5Kl7RIRA4a0GburE4M8MTfk=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1116549760.17106.42.camel@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <A95E2296287EAD4EB592B5DEEFCE0E9D1E4124@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <1116546581.15693.56.camel@xxxxxxxxxxxxxxxxxxxxxxxx> <1116549760.17106.42.camel@xxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: Fernando Maior <fernando.souto.maior@xxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On 5/19/05, Nils Toedtmann <xen-users@xxxxxxxxxxxxxxxxxx> wrote:
> Am Donnerstag, den 19.05.2005, 19:49 -0400 schrieb John A. Sullivan III:
> > Ah, perhaps I didn't make something sufficiently clear.  Although
> > several domUs will have access to the partition, only one should have it
> > mounted at any time.  In other words, the system first mounts it read
> > only simply to check to see if anyone else has it mounted and, if they
> > do not, they remount it as rw.  There is the possibility that, in
> > between the check and the remount as rw, something could sneak in.  And
> > there is the brief moment when it is mounted ro that another device
> > could be writing to it in which case it is immediately unmounted.
> >
> > Network exchange with a big firewall does sound technically safer from
> > corruption even if less safe from intrusion.  Thanks - John
> [...]
> Do you want to protect the CA domU only from the outside world, or has
> it to be protected from the other (networked, hence potentially r00ted)
> domUs (with which the CA domU exchanges data), too?
> 
> In the latter case, the other domU could try to attack the filesystem
> driver of the CA domU by writing malicious fs metadata (like currupt
> inode tables/superblocks/whatever) to that partition. I'd consider a nfs
> relay between them safer!
> 
> And you could make firewalling much easier if you use a "virtual DMZ"
> toppology (all interfaces marked with a * shall use private rfc1918 ip
> addresses):
> 
>   evil internet
>         |
>         |
>     dom0-eth0
>         |
>         |xen-br0
>         |
>     dom1-eth0
>   networked domU, maybe compromised, has to exchange data with dom3
>     dom1-eth1*
>         |
>         |xen-br1 (has no ip in dom0)
>         |
>     dom2-eth0*
>   nfs-server, no ip-forwarding
>     dom2-eth1*
>         |
>         |xen-br2 (has no ip in dom0)
>         |
>     dom3-eth0*
>   CA-domU
> 
> Even without any firewalling: to break into the CA domU, an attacker has
> to overtake dom1, then the nfs-service on dom2 and finally the nfs-
> client on dom3.
> 
> I think it would be easier to attack the sshd on dom0 to compromise them
> all ;)
> 
> /nils.
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 

Excuse my lack of knowledge, but I believe there is another
way to get to the thing done.

You want:

1) A number o domUs to write files to a place;
2) Make sure to have the most secure way to do it.

What if...

You set up a one bridge without IP number {
  brctl addbr xen-sw1
  brctl stp xen-sw1 off
  brctl setfd xen-sw1 0
  sleep 3
  ifconfig xen-sw1 up
}

Then you config your domUs to connect to the bridge,
each one implementing a RFC 1918 ip number and
same network for all of them. You see, any one can
see the other, but no one can reach dom0 or the LAN.

Now you configure a vsftpd to allow just one connection
at any time. You will NOT have more then one domU
accessing that file, for sure. And you enhance the security
with all features on vsftpd you can, so making it very 
restricted.

And you configure a firewall on each domU, accepting
NO input/forward on the ethernet connected to the 
bridged. Except for the domU where you have vsftpd,
which can be opened ONLY for ftpclients.

Is that good?
-- 
Bye,
Fernando Maior
LPIC/1 31908

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users