WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Running workstation and firewall on the same hardware

To: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Subject: Re: [Xen-users] Running workstation and firewall on the same hardware
From: Michal Ludvig <michal@xxxxxxxx>
Date: Wed, 10 Aug 2005 16:42:01 +1200
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 10 Aug 2005 04:40:30 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <200508091802.51947.mark.williamson@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <d3e62a6b0508071107440f8e71@xxxxxxxxxxxxxx> <200508081737.36596.mark.williamson@xxxxxxxxxxxx> <42F7DEC3.9030201@xxxxxxxx> <200508091802.51947.mark.williamson@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)
Mark Williamson wrote:

>>From what you wrote it seems that allowing 
>>domU access to the hardware is more risky than passing all packets to
>>domU through dom0.
> 
> Depends...  I guess if you trust that nothing can compromise the path in dom0 
> from eth0 to the domU's virtual ethernet then this is actually the case.  As 
> Goetz pointed out, though, it'd require a reasonably sophisticated attacker 
> to break out of a domain using DMA.

My paranoid mind tells me that if it is at all possible someone will do
it. Sooner or later.

> Bear in mind that if you're not running any services in the firewall domU, 
> the 
> only way it could get compromised is by a network-stack attack.  It still 
> fulfills the goal of protecting your bloatware (your words!) from the 
> internet...

Bloatware? Ah, you mean the GSM thing I mentioned some time ago. No no,
that was a different system. Actually I really like Xen and already
built 3 servers running it in production. Some more are in the queue.
Thanks for your great work, BTW! :-)

The server I'm now talking about is running one domain in the DMZ with
web/mail/DNS server and a dedicated NIC. I think I'll rework the setup a
little bit and will pass all data through dom0. Two eth bridges each
attached to one NIC and two domains each attached to one bridge. No
services will run in dom0.

> If a domain has a DMA capable card a sophisticated attacker can theoretically 
> own the whole machine - there is no sensible way to control DMAs on current 
> hardware.  I should point out nobody has ever done this but it is possible.

This wording will definitely sound like a challenge to someone ;-)

Michal Ludvig
-- 
* Personal homepage: http://www.logix.cz/michal

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users