Patrick Wolfe wrote:
You are correct, but that's typically how servers are setup in a DMZ in
a non-consolidated environment. Each server is responsible for
protecting itself from penetration. My firewall's primary goal is to
protect your INTERNAL systems from the internet and the DMZ systems. It
also provides some protection for the DMZ systems, but if one of them
has a hole and gets hacked, you want to make sure they can't get any
further than the DMZ.
Ok.
If you want to get all paranoid and isolate each domU from each other,
go for it. Use the routed method, and have separate firewall rules for
each server.
Where would the router sit?
A domU or in dom0 as per your previous diagram?
In the dom0 case, wouldn't you suddenly get traffic hitting dom0's IP stack?
Your firewall will be a little more heavily loaded, but
that's the price you pay. Also, keep in mind that XEN currently doesn't
support more than three network interfaces per domU, so you end up
having to have one firewall for every two domU's.
Ok. I use VLANs to separate the domUs, and since the VLANs terminate
in a virtual interface, I don't suffer from this limitation.
In my opinion, a better solution is be to install shorewall (or whatever
firewall package you like) on every domU, so it can protect itself.
It does have the advantage that it's easier for each domU to define
it's own rules. But you sort of loose a lot of central management, I
think.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
| 
Home