WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Xen Security

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Xen Security
From: Bart Coninckx <bart.coninckx@xxxxxxxxxx>
Date: Fri, 16 Jul 2010 11:57:41 +0200
Cc: Vern Burke <vburke@xxxxxxxx>, Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Delivery-date: Fri, 16 Jul 2010 03:00:17 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C4004C7.7020008@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4C3F905E.9030100@xxxxxxxxxxx> <4C3FB19B.104@xxxxxxxx> <4C4004C7.7020008@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.12.4 (Linux/2.6.31.12-0.2-desktop; KDE/4.3.5; x86_64; ; )
On Friday 16 July 2010 09:05:43 Jonathan Tripathy wrote:
> Hi Vern,
> 
> So you think I should just set up my networking properly and forget
> about the rest? Do you feel it ok to share the same Xen host with
> internal VMs with public VMs?
> 
> Thanks
> 
> On 16/07/10 02:10, Vern Burke wrote:
> > I have no idea how you could actually PROVE that there's no possible
> > way someone could break out of a dom U into the dom 0. As I've written
> > before, since Xen is out and about in such a large way (being the
> > underpinning of Amazon EC2) that if there was a major risk of this,
> > we'd have seen it happen already.
> >
> > Vern Burke
> >
> > SwiftWater Telecom
> > http://www.swiftwatertel.com
> > ISP/CLEC Engineering Services
> > Data Center Services
> > Remote Backup Services
> >
> > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote:
> >> On 15/07/10 23:49, Jonathan Tripathy wrote:
> >>> Hi Everyone,
> >>>
> >>> My Xen host currently run DomUs which contain some very sensitive
> >>> information, used by our company. I wish to use the same server to
> >>> host some VMs for some customers. If we assume that networking is set
> >>> up securely, are there any other risks that I should worry about?
> >>>
> >>> Is Xen secure regarding "breaking out" of the VM?
> >>>
> >>> Thanks
> >>>
> >>> _______________________________________________
> >>> Xen-users mailing list
> >>> Xen-users@xxxxxxxxxxxxxxxxxxx
> >>> http://lists.xensource.com/xen-users
> >>
> >> I'm running Xen 3.4.2 on CentOS 5.5 Dom0 by the way.
> >>
> >> _______________________________________________
> >> Xen-users mailing list
> >> Xen-users@xxxxxxxxxxxxxxxxxxx
> >> http://lists.xensource.com/xen-users
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 

The "distance" in between the hosts should be maximized, being a seperate 
routed networks, seperate storage etc to have the risks minimized.

Personally, I would not mix the two, unless having spent a LOT of time in 
isolating things, just as you would do with two physical hosts. 


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>