WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Re: firewalls and Xen

Don't you find it troublesome that all of your domUs can communicate
freely with each other?

I'm thinking that if one domU is breached, a hacker will have total
freedom to poke at any ports on any of the other domUs regardless of
the firewall.

You are correct, but that's typically how servers are setup in a DMZ in a non-consolidated environment. Each server is responsible for protecting itself from penetration. My firewall's primary goal is to protect your INTERNAL systems from the internet and the DMZ systems. It also provides some protection for the DMZ systems, but if one of them has a hole and gets hacked, you want to make sure they can't get any further than the DMZ.

If you want to get all paranoid and isolate each domU from each other, go for it. Use the routed method, and have separate firewall rules for each server. Your firewall will be a little more heavily loaded, but that's the price you pay. Also, keep in mind that XEN currently doesn't support more than three network interfaces per domU, so you end up having to have one firewall for every two domU's.

In my opinion, a better solution is be to install shorewall (or whatever firewall package you like) on every domU, so it can protect itself.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>