Hi Everyone, If Dom0 were to get compramised, how bad would this be? How much access to the DomUs does Dom0 have? Trying to build a strong security network here Many Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, May 20, 2010 at 4:53 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> Hi Everyone, > > If Dom0 were to get compramised, how bad would this be? How much access to > the DomUs does Dom0 have?With physical servers, It would be the equivalent of someone having access to your SAN (disks) and network switch/routers. Results might include anything from man-in-the-middle-attacks or data theft. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Curious, what would be the best way to secure the Dom0. Ive tried iptables before but then prevented access to the DomUs. Ian -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Fajar A. Nugraha Sent: 20 May 2010 11:02 To: Jonathan Tripathy Cc: Xen-users@lists.xensource.com Subject: Re: [Xen-users] If Dom0 was compramised On Thu, May 20, 2010 at 4:53 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> Hi Everyone, > > If Dom0 were to get compramised, how bad would this be? How muchaccess to> the DomUs does Dom0 have?With physical servers, It would be the equivalent of someone having access to your SAN (disks) and network switch/routers. Results might include anything from man-in-the-middle-attacks or data theft. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I''m not an expert, but Dom0 have access at least to the disk, the network trafic, and memory thought "xm save". Well, it seem to be a full access no ? Olivier Le 20/05/2010 11:53, Jonathan Tripathy a écrit :> Hi Everyone, > If Dom0 were to get compramised, how bad would this be? How much > access to the DomUs does Dom0 have? > Trying to build a strong security network here > Many Thanks > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, May 20, 2010 at 5:06 PM, Ian Tobin <itobin@tidyhosts.com> wrote:> Curious, what would be the best way to secure the Dom0. > > Ive tried iptables before but then prevented access to the DomUs.Depends on your setup. If you use bridge networking, and /proc/sys/net/bridge/bridge-nf-call-iptables is 0 (which is 1 by default), domU traffic should be unaffected by dom0''s iptables. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Yes im using bridged. Odd, so you can create any ip tables rules and it should not affect domUs? Ian -----Original Message----- From: Fajar A. Nugraha [mailto:fajar@fajar.net] Sent: 20 May 2010 11:11 To: Ian Tobin Cc: Xen User-List Subject: Re: [Xen-users] If Dom0 was compramised On Thu, May 20, 2010 at 5:06 PM, Ian Tobin <itobin@tidyhosts.com> wrote:> Curious, what would be the best way to secure the Dom0. > > Ive tried iptables before but then prevented access to the DomUs.Depends on your setup. If you use bridge networking, and /proc/sys/net/bridge/bridge-nf-call-iptables is 0 (which is 1 by default), domU traffic should be unaffected by dom0''s iptables. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, May 20, 2010 at 5:13 PM, Ian Tobin <itobin@tidyhosts.com> wrote:> Yes im using bridged. > > Odd, so you can create any ip tables rules and it should not affect > domUs?A more accurate term would be it could be setup to only affect dom0 and routed traffic, not bridged traffic. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
What if I were to use this setup: http://www.shorewall.net/XenMyWay.html In a nutshell, run a firewall ina DomU and delegate a physicaal NIC to it (The physical NIC would have a public IP from the ISP). Then, connect the other vifs from the firewall DomU to a bridge, which eventually connects to the LAN Is this secure? I could disable ssh etc. in Dom0 and just use an old school monitor connected to the server. Is this as safe as it could be? Thanks ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Olivier B. Sent: Thu 20/05/2010 11:06 To: xen-users@lists.xensource.com Subject: Re: [Xen-users] If Dom0 was compramised I''m not an expert, but Dom0 have access at least to the disk, the network trafic, and memory thought "xm save". Well, it seem to be a full access no ? Olivier Le 20/05/2010 11:53, Jonathan Tripathy a écrit : Hi Everyone, If Dom0 were to get compramised, how bad would this be? How much access to the DomUs does Dom0 have? Trying to build a strong security network here Many Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Ok I see. Do you have a sample script that blocks all traffic other than ssh and pings? Or a similar script? Ian -----Original Message----- From: Fajar A. Nugraha [mailto:fajar@fajar.net] Sent: 20 May 2010 11:23 To: Ian Tobin Cc: Xen User-List Subject: Re: [Xen-users] If Dom0 was compramised On Thu, May 20, 2010 at 5:13 PM, Ian Tobin <itobin@tidyhosts.com> wrote:> Yes im using bridged. > > Odd, so you can create any ip tables rules and it should not affect > domUs?A more accurate term would be it could be setup to only affect dom0 and routed traffic, not bridged traffic. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
well, something like that ? iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -P INPUT -j DROP iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT iptables -P OUTPUT -j DROP Le 20/05/2010 13:29, Ian Tobin a écrit :> Ok I see. > > Do you have a sample script that blocks all traffic other than ssh and > pings? Or a similar script? > > Ian > > > -----Original Message----- > From: Fajar A. Nugraha [mailto:fajar@fajar.net] > Sent: 20 May 2010 11:23 > To: Ian Tobin > Cc: Xen User-List > Subject: Re: [Xen-users] If Dom0 was compramised > > On Thu, May 20, 2010 at 5:13 PM, Ian Tobin<itobin@tidyhosts.com> wrote: > >> Yes im using bridged. >> >> Odd, so you can create any ip tables rules and it should not affect >> domUs? >> > A more accurate term would be it could be setup to only affect dom0 > and routed traffic, not bridged traffic. > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Ok cool, ill give it a shot :) Thanks Ian -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Olivier B. Sent: 20 May 2010 12:35 To: xen-users@lists.xensource.com Subject: Re: [Xen-users] If Dom0 was compramised well, something like that ? iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -P INPUT -j DROP iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT iptables -P OUTPUT -j DROP Le 20/05/2010 13:29, Ian Tobin a écrit :> Ok I see. > > Do you have a sample script that blocks all traffic other than ssh and > pings? Or a similar script? > > Ian > > > -----Original Message----- > From: Fajar A. Nugraha [mailto:fajar@fajar.net] > Sent: 20 May 2010 11:23 > To: Ian Tobin > Cc: Xen User-List > Subject: Re: [Xen-users] If Dom0 was compramised > > On Thu, May 20, 2010 at 5:13 PM, Ian Tobin<itobin@tidyhosts.com> wrote: > >> Yes im using bridged. >> >> Odd, so you can create any ip tables rules and it should not affect >> domUs? >> > A more accurate term would be it could be setup to only affect dom0 > and routed traffic, not bridged traffic. > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha wrote:> On Thu, May 20, 2010 at 5:13 PM, Ian Tobin <itobin@tidyhosts.com> wrote: >> Yes im using bridged. >> >> Odd, so you can create any ip tables rules and it should not affect >> domUs? > > A more accurate term would be it could be setup to only affect dom0 > and routed traffic, not bridged traffic. >We use IP tables for our Dom0 all the time. The DomU''s have their own iptables, specific to them. We only allow access to our Dom0''s from the administrative team. This means the only way a Dom0 could be compromised is by one of us, which is extremely unlikely. The DomU''s have various access configured for their specific needs. We''ve had zero problems with this strategy and it continues to work well for us. -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 231 Mobile 308-380-7957 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Steve Spencer wrote:> >> Odd, so you can create any ip tables rules and it should not affect >>> domUs? >> >> A more accurate term would be it could be setup to only affect dom0 > > and routed traffic, not bridged traffic.Hmm, I''ll look into that when (if ?) I get another box at work to play with as a host.>We use IP tables for our Dom0 all the time. The DomU''s have their own >iptables, specific to them. We only allow access to our Dom0''s from the >administrative team. This means the only way a Dom0 could be >compromised is by one of us, which is extremely unlikely. The DomU''s >have various access configured for their specific needs. We''ve had zero >problems with this strategy and it continues to work well for us.That''s more or less what I have set up - iptables rules that allow DomU traffic and only the essentials (ie ssh from a whitelist of hosts) for Dom0. For anyone that knows your setup, compromising a Dom0 would probably be the crown jewels. Get access to that and you can do anything with the guests - even if it means shutting them down briefly while you mount their disks and install extra software or alter their config. In other words, having control of Dom0 is as least as good as having physical access to an equivalent real machine (ie what the DomU would be if not virtualised) and the ability to boot it from a live CD while you fiddle with the contents of the disk. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users