WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] domU security

To: William <wcoolnet@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] domU security
From: "Dirk H. Schulz" <dirk.schulz@xxxxxxxxxxxxx>
Date: Tue, 07 Mar 2006 09:43:29 +0100
Delivery-date: Tue, 07 Mar 2006 08:44:52 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <8EEC3F15-EB0F-459E-8E87-3F2D185F59B4@xxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <8EEC3F15-EB0F-459E-8E87-3F2D185F59B4@xxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (Macintosh/20050923)
Hi William,

William schrieb:

When one rents a domU, what are some of the security concerns to have? I haven't used Xen at all, but am considering to purchase a domU. I guess the administrator of the xen server (dom0) can read all information (hard drive) on all domUs, is this correct? What would be some countermeasures? Lets say I don't want them reading the emails in my mail server.

Besides what Mathias already answered (you have to trust your provider or be your own provider) there is several things you can do:

1. Rent a NetBSD domU that runs on a linux host. That makes it at least more difficult to mount the file system of your domU into dom0. 2. Use NetBSDs cryptographic file system pseudo device to encrypt your file system (at least the parts you want to keep secret).
3. Use TLS for all of your network communication.

All these steps make it more difficult to peep into your data, but not impossible.

Concerning the phrase "trust your provider" you have to consider: Even renting hardware does not give you real security, because the people at the provider can reboot your server at night with a knoppix cd and configure access for later.

Perhaps you should make a list of what exactly you want to keep private and then we could discuss other means of doing this.

Dirk

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>