Hey guys, I was just looking into some standards concerning the certification of critical computer systems in general when I thought about how this relates to virtualization. Is there anyone out there who has experiences with security audits for Xen like PCI-DSS? Or to put it as a general question: does virtualization matter? I think its a pretty interesting question - how is the isolation between virtual machines accepted with regards to security compliances? Lets have an additional example to discuss: There are two networks that are generally not allowed to be directly connected to one physical machine. What about creating two driver domains on one physical host both having a dedicated NIC connected to one of these networks. The resulting security rule could be that the virtual machines are never allowed to use both driver domains. Do you think this would work out in a security audit? Looking forward to an interesting discussion... Best regards, Bjoern ________________________________________________________________________ Schon gehört? Bei WEB.DE gibt'' s viele kostenlose Spiele: http://games.entertainment.web.de/de/entertainment/games/free/index.html _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
-----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of bbmailing@web.de Sent: Wednesday, August 06, 2008 10:47 To: xen-users@lists.xensource.com Subject: [Xen-users] Security audits and compliances <snip> Lets have an additional example to discuss: There are two networks that are generally not allowed to be directly connected to one physical machine. What about creating two driver domains on one physical host both having a dedicated NIC connected to one of these networks. The resulting security rule could be that the virtual machines are never allowed to use both driver domains. Do you think this would work out in a security audit? <snip> -----Reply----- This would probably depend who was doing what security audit. For instance, in some security audits, the fact that an internal person could use both driver domains in spite of rules against doing so might be unacceptable. In another, the fact that Dom0 could potentially be compromised if a DomU was compromised might be unacceptable, as this could allow an outside attacker into the protected internal domain (even if they then had to compromise another DomU from the Dom0, which I would argue would not even be necessary). Obviously, if it is unacceptable to have a router between these two networks, having something that could function as a router wouldn''t be acceptable regardless. In a simple security audit, these things might not matter, but they still might be worth considering in regards to responsibility and/or liability. That''s my simple 2 cents, Dustin _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
bbmailing@web.de wrote:> > Hey guys, > > I was just looking into some standards concerning the > certification of critical computer systems in general when I > thought about how this relates to virtualization. Is there > anyone out there who has experiences with security audits for > Xen like PCI-DSS? Or to put it as a general question: does > virtualization matter? I think its a pretty interesting > question - how is the isolation between virtual machines > accepted with regards to security compliances?Don''t have PCI compliance experience, but I do have some GLBA compliance experience.> Lets have an additional example to discuss: There are two > networks that are generally not allowed to be directly > connected to one physical machine. What about creating two > driver domains on one physical host both having a dedicated > NIC connected to one of these networks. The resulting > security rule could be that the virtual machines are never > allowed to use both driver domains. Do you think this would > work out in a security audit?For security, compliance or no compliance, dom0 must be treated as a highly privileged and highly secure resource that only a select group of individuals have access to, preferably a group of individuals who do not have access to the domUs or the applications that run within. In the real world that kind of segregation of duties is hard to attain, but all attempts must be made to try and reach that goal. Limiting who from the admin group has the rights to administer the virtual machine servers and by protecting access to dom0 with local firewall, reducing attack surface by limiting services running, assuring communications with it are encrypted (ssh, ssl), and for domUs containing customer information, if possible encrypting the storage with an encryption key that only the domU admins know... As far as network connectivity is concerned, the network configuration and topology need to be internally published so they can go under peer review for accuracy and are available to auditors for review as well, but as long as the traffic is segregated as it needs to be, whether logically via vlans or physically over separate NICs, it doesn''t really matter. -Ross ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users