If a DomU was compramised, could the Dom0 or other DomUs be compramised? I guess I''m trying to work out how much isolated Xen gives.. Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > If a DomU was compramised, could the Dom0 or other DomUs becompramised?> > I guess I''m trying to work out how much isolated Xen gives.. >Not by design, but there is always the possibility that an errant DomU could exploit a bug and compromise the hypervisor or Dom0 that way. But depending on what your DomU does, it may be trusted by other servers on your network so it''s obviously never a good thing, but that''s not really anything to do with Xen. In writing PV drivers for Windows I have caused complete system crashes before, which means it is (or at least was) possible to crash the whole system from a DomU. That was over a year ago and I never followed up exactly what caused the problem other than to fix the bug in my driver. I''d be interested to hear about what sort of analysis has been done on this subject... do any papers exist? James _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
>From the networking point of view, it''s more or less the same situation as in real physical network - depends on the network segments, firewalling etc.Main difference is, that ale these virtual machines share common computing power, so there''s "new" room to "unwanted" computing power consumption from the compromised DomU, that may affect other DomUs and tasks assigned to them (the degree depends on configs of vcpus, schedulers etc.) and logically virtual machines are more vulnerable to DOS attacks. Regars Matej -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy Sent: Thursday, May 20, 2010 2:12 PM To: Xen-users@lists.xensource.com Subject: [Xen-users] If a DomU was compramised.. If a DomU was compramised, could the Dom0 or other DomUs be compramised? I guess I''m trying to work out how much isolated Xen gives.. Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Ok so to sum up, it''s no worse than VMWare ESXi? Thanks ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Matej Zary Sent: Thu 20/05/2010 13:36 To: Xen-users@lists.xensource.com Subject: [Xen-users] RE: If a DomU was compramised..>From the networking point of view, it''s more or less the same situation as in real physical network - depends on the network segments, firewalling etc.Main difference is, that ale these virtual machines share common computing power, so there''s "new" room to "unwanted" computing power consumption from the compromised DomU, that may affect other DomUs and tasks assigned to them (the degree depends on configs of vcpus, schedulers etc.) and logically virtual machines are more vulnerable to DOS attacks. Regars Matej -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy Sent: Thursday, May 20, 2010 2:12 PM To: Xen-users@lists.xensource.com Subject: [Xen-users] If a DomU was compramised.. If a DomU was compramised, could the Dom0 or other DomUs be compramised? I guess I''m trying to work out how much isolated Xen gives.. Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hmm ok that worries me a bit... I thought that Xen is a type-1 hypervisor, so why do they say that VMWare is more suitable? Surely VMWare''s *nix "console" abailable from the VGA port (or ssh if you hack it) is equivalent to the Dom0 in Xen? Or have I got the whole concept of a Dom0 wrong? ________________________________ From: Matthew Law [mailto:matt@webcontracts.co.uk] Sent: Thu 20/05/2010 14:10 To: Jonathan Tripathy Subject: RE: [Xen-users] RE: If a DomU was compramised.. On Thu, May 20, 2010 1:41 pm, Jonathan Tripathy wrote:> Ok so to sum up, it''s no worse than VMWare ESXi?Exactly. However, if you were to ask a PCI DSS assessor they would probably give you the scripted answer that Xen is not a suitable candidate for a PCI DSS environment despite the fact that if configured properly it is no more insecure than ESXi or a hardware box. Another option to increase separation between the dom0 and domUs is to configure the dom0 to only be accessible on one physical interface which is and then have another public interface with no address which is bridged for the domUs. Unless I am mistaken, this is the default setup for XCP and XenServer when multiple interfaces are available. Cheers, Matt. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, May 20, 2010 2:47 pm, Jonathan Tripathy wrote:> Hmm ok that worries me a bit... > > I thought that Xen is a type-1 hypervisor, so why do they say that VMWare > is more suitable? > > Surely VMWare''s *nix "console" abailable from the VGA port (or ssh if you > hack it) is equivalent to the Dom0 in Xen? Or have I got the whole concept > of a Dom0 wrong?I suppose the bottom line is, does anyone who cannot be trusted have access to the dom0? My experience of PCI compliance people has been that they often don''t understand the situation so use ''no'' as a standard answer, which is what I was rather poorly eluding to. Xen IS secure and definitely as secure if not more so than VMWare''s implementation *if* you design and implement it securely. Auditing types like to have simple boxes to tick and would rather not get into the technicalities of bridging and firewall rules, so they generally say ''no''. I am involved with a company that holds limited medical data and the auditors flatly refuse to accept any kind of virtualised setup at all despite having no technical reasoning to back up that decision. Cheers, Matt. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Well, the system isn''t set up yet, but when I get round to it, I was thinking of just mapping a physical NIC to the dom0 for admin? Would that do? The only ports that would be open are the ones required for management tools to work. I''m just trying to figure out that if the DomU was compramised, could some "break out" of it and access the Dom0? ________________________________ From: Matthew Law [mailto:matt@webcontracts.co.uk] Sent: Thu 20/05/2010 16:22 To: Jonathan Tripathy Cc: xen-users@lists.xensource.com Subject: RE: [Xen-users] RE: If a DomU was compramised.. On Thu, May 20, 2010 2:47 pm, Jonathan Tripathy wrote:> Hmm ok that worries me a bit... > > I thought that Xen is a type-1 hypervisor, so why do they say that VMWare > is more suitable? > > Surely VMWare''s *nix "console" abailable from the VGA port (or ssh if you > hack it) is equivalent to the Dom0 in Xen? Or have I got the whole concept > of a Dom0 wrong?I suppose the bottom line is, does anyone who cannot be trusted have access to the dom0? My experience of PCI compliance people has been that they often don''t understand the situation so use ''no'' as a standard answer, which is what I was rather poorly eluding to. Xen IS secure and definitely as secure if not more so than VMWare''s implementation *if* you design and implement it securely. Auditing types like to have simple boxes to tick and would rather not get into the technicalities of bridging and firewall rules, so they generally say ''no''. I am involved with a company that holds limited medical data and the auditors flatly refuse to accept any kind of virtualised setup at all despite having no technical reasoning to back up that decision. Cheers, Matt. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Anything is possible, but I think it's unlikely. Given the number of VMs on Amazon, if this was a real problem, we'd have seen it long before this. Most likely way to get hacked is still what it's always been, lousy admin practices. Vern Sent from my BlackBerry® wireless device from U.S. Cellular -----Original Message----- From: "Jonathan Tripathy" <jonnyt@abpni.co.uk> Date: Thu, 20 May 2010 16:24:43 To: <matt@webcontracts.co.uk> Cc: <xen-users@lists.xensource.com> Subject: RE: [Xen-users] RE: If a DomU was compramised.. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, May 20, 2010 4:47 pm, Vern Burke wrote:> Anything is possible, but I think it''s unlikely. Given the number of VMs > on Amazon, if this was a real problem, we''d have seen it long before > this. > > Most likely way to get hacked is still what it''s always been, lousy admin > practices.I agree with Vern although I would go as far as to say that even with exceptionally good security and admin practices in place I think that if someone really wants to get in and has the skill, they will, eventually. Buy more insurance! :-P Cheers, Matt _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> -----Original Message----- > From: xen-users-bounces@lists.xensource.com [mailto:xen-users- > bounces@lists.xensource.com] On Behalf Of Matthew Law > Sent: Thursday, May 20, 2010 11:55 AM > To: vburke@skow.net > Cc: xen-users-bounces@lists.xensource.com; Jonathan Tripathy; xen- > users@lists.xensource.com > Subject: Re: [Xen-users] RE: If a DomU was compramised.. > > I agree with Vern although I would go as far as to say that even with > exceptionally good security and admin practices in place I think thatif> someone really wants to get in and has the skill, they will,eventually. Indeed. The security of any host tends to be only as good as the network, storage device, and physical facilities. If you can compromise any of those, then little else matters. I don''t think virtualization has much to do with this argument. Most data centers have some systems in place for remote access, such as KVM over IP, and it seems certain these have also been targeted for vulnerabilities. I don''t have any technical basis to trust a hypervisor less than a serial console or KVM. -Jeff _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Matthew Law wrote:> On Thu, May 20, 2010 4:47 pm, Vern Burke wrote: >> Anything is possible, but I think it''s unlikely. Given the number of VMs >> on Amazon, if this was a real problem, we''d have seen it long before >> this. >> >> Most likely way to get hacked is still what it''s always been, lousy admin >> practices. > > I agree with Vern although I would go as far as to say that even with > exceptionally good security and admin practices in place I think that if > someone really wants to get in and has the skill, they will, eventually. > > Buy more insurance! :-P > > Cheers, > > Matt > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-usersJust as an aside, we also use ossec-hids (client/server setup) for any host that has the potential for being compromised (web servers, generally, but others apply). I''ve not done this for our Dom0''s, however, because the only access to them is administrative. (ssh from about 3 addresses) -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 231 Mobile 308-380-7957 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi everyone, What iv decided to do is just install a firewall in a DomU which has access to a physical NIC (connected to ISP) via PCI passthrough. The rest will all be internal bridges with another DomU (acting as a terminal server) having direct access to the other physical NIC which thin clients connect to. Management access to Dom0 will be via a third physical NIC. Seem Fair? Thanks Sent from my iPhone On 20 May 2010, at 17:31, Steve Spencer <sspencer@kdsi.net> wrote:> Matthew Law wrote: >> On Thu, May 20, 2010 4:47 pm, Vern Burke wrote: >>> Anything is possible, but I think it''s unlikely. Given the number >>> of VMs >>> on Amazon, if this was a real problem, we''d have seen it long before >>> this. >>> >>> Most likely way to get hacked is still what it''s always been, >>> lousy admin >>> practices. >> >> I agree with Vern although I would go as far as to say that even with >> exceptionally good security and admin practices in place I think >> that if >> someone really wants to get in and has the skill, they will, >> eventually. >> >> Buy more insurance! :-P >> >> Cheers, >> >> Matt >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > Just as an aside, we also use ossec-hids (client/server setup) for any > host that has the potential for being compromised (web servers, > generally, but others apply). I''ve not done this for our Dom0''s, > however, because the only access to them is administrative. (ssh from > about 3 addresses) > > > -- > -- > Steven G. Spencer, Network Administrator > KSC Corporate - The Kelly Supply Family of Companies > Office 308-382-8764 Ext. 231 > Mobile 308-380-7957_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users