Hi everyone, I wish to create an isolated network that only a few DomUs can access. The Dom0 must not have access to this network. Public IP address will be routed via this isolated network, so security is important. When you create a "Virtual Network" with virt-manager, it gives the new bridge an ipaddress.. Any ideas on how I could create this internal network just for the DomUs? Is it just a matter of removing the IP address from the bridge? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Am 04.06.2010 11:14, schrieb Jonathan Tripathy:> Hi everyone, > > I wish to create an isolated network that only a few DomUs can access. > The Dom0 must not have access to this network. Public IP address will be > routed via this isolated network, so security is important.If you like to have network which is by no means accessible by dom0, this impossible. Afaik, this is also true for remote exec exploits against dom0 networkstack. Maybe (not sure if this is possible) you could delegate the network handling to another udom, but then the root of this udom would be able to access these networks. What but it is possible to use an interface as bridge target without assigning an ip address.> > When you create a "Virtual Network" with virt-manager, it gives the new > bridge an ipaddress.. >No idea here, I configure my networking manually, so the mac=[MAC],bridge=eth0 form is, what I''m talking about.> Any ideas on how I could create this internal network just for the > DomUs? Is it just a matter of removing the IP address from the bridge? >Depending on your needs crossbow maybe closer to your opinions. A look at opensolaris as dom0 might be useful if you plan more complex security related network setups in your virtual environment. Florian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: Florian Manschwetus [mailto:florianmanschwetus@gmx.de] Sent: Fri 04/06/2010 14:03 To: Jonathan Tripathy Cc: Xen-users@lists.xensource.com Subject: Re: [Xen-users] Isolated network Am 04.06.2010 11:14, schrieb Jonathan Tripathy:> Hi everyone, > > I wish to create an isolated network that only a few DomUs can access. > The Dom0 must not have access to this network. Public IP address will be > routed via this isolated network, so security is important.If you like to have network which is by no means accessible by dom0, this impossible. Afaik, this is also true for remote exec exploits against dom0 networkstack. Maybe (not sure if this is possible) you could delegate the network handling to another udom, but then the root of this udom would be able to access these networks. What but it is possible to use an interface as bridge target without assigning an ip address.> > When you create a "Virtual Network" with virt-manager, it gives the new > bridge an ipaddress.. >No idea here, I configure my networking manually, so the mac=[MAC],bridge=eth0 form is, what I''m talking about.> Any ideas on how I could create this internal network just for the > DomUs? Is it just a matter of removing the IP address from the bridge? >Depending on your needs crossbow maybe closer to your opinions. A look at opensolaris as dom0 might be useful if you plan more complex security related network setups in your virtual environment. Florian ---------------------------------------------------------------------------------------------------------------------------------------------------------------- Hi There, Sorry, I think I worded my post wrong. What I meant was is there a way to make sure that the DomUs can''t access the Dom0, i.e. so they are on an isolated network. By default in virt-manager, the Dom0 gets attached to each bridge created... Also, what additional features does opensolaris support? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
...> Hi There, > > Sorry, I think I worded my post wrong. What I meant was is there a way > to make sure that the DomUs can''t access the Dom0, i.e. so they are on > an isolated network. By default in virt-manager, the Dom0 gets attached > to each bridge created... > > Also, what additional features does opensolaris support? > > Thanks >Depending where and how your guest disks are stored, you would have zfs for that. At least your dom0 would benefit from zfs (bootenvironments and frequent snapshotting of all data). Really easy handling of vlans, bridges and other networking stuff. (e.g. to configure a nic, you have to plumb it to the system, but you can use an unplumbed nic for a bridge (what would address your current question)) No idea so far how well it integrate that all with virt-manager For udom or smarter dom0 you can use zones. At all, I would say, you should have a closer look (read a bit at opensolaris.org) and try it for your own if you are interested. I have a productive xen running with two osolb134 dom0s with x64-linux, -windows and -opensolaris as guests. Florian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: Florian Manschwetus [mailto:florianmanschwetus@gmx.de] Sent: Fri 04/06/2010 15:53 To: Jonathan Tripathy Cc: Xen-users@lists.xensource.com Subject: Re: [Xen-users] Isolated network ...> Hi There, > > Sorry, I think I worded my post wrong. What I meant was is there a way > to make sure that the DomUs can''t access the Dom0, i.e. so they are on > an isolated network. By default in virt-manager, the Dom0 gets attached > to each bridge created... > > Also, what additional features does opensolaris support? > > Thanks >Depending where and how your guest disks are stored, you would have zfs for that. At least your dom0 would benefit from zfs (bootenvironments and frequent snapshotting of all data). Really easy handling of vlans, bridges and other networking stuff. (e.g. to configure a nic, you have to plumb it to the system, but you can use an unplumbed nic for a bridge (what would address your current question)) No idea so far how well it integrate that all with virt-manager For udom or smarter dom0 you can use zones. At all, I would say, you should have a closer look (read a bit at opensolaris.org) and try it for your own if you are interested. I have a productive xen running with two osolb134 dom0s with x64-linux, -windows and -opensolaris as guests. Florian ----------------------------------------------------------------------------------------------------------------------------- You gotta love zfs! RAIDZ is fantastic _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: Florian Manschwetus [mailto:florianmanschwetus@gmx.de] Sent: Fri 04/06/2010 15:53 To: Jonathan Tripathy Cc: Xen-users@lists.xensource.com Subject: Re: [Xen-users] Isolated network ...> Hi There, > > Sorry, I think I worded my post wrong. What I meant was is there a way > to make sure that the DomUs can''t access the Dom0, i.e. so they are on > an isolated network. By default in virt-manager, the Dom0 gets attached > to each bridge created... > > Also, what additional features does opensolaris support? > > Thanks >Depending where and how your guest disks are stored, you would have zfs for that. At least your dom0 would benefit from zfs (bootenvironments and frequent snapshotting of all data). Really easy handling of vlans, bridges and other networking stuff. (e.g. to configure a nic, you have to plumb it to the system, but you can use an unplumbed nic for a bridge (what would address your current question)) No idea so far how well it integrate that all with virt-manager For udom or smarter dom0 you can use zones. At all, I would say, you should have a closer look (read a bit at opensolaris.org) and try it for your own if you are interested. I have a productive xen running with two osolb134 dom0s with x64-linux, -windows and -opensolaris as guests. Florian ----------------------------------------------------------------------------------------------------------------------- My main question is though, is that since all bridge are actually located in the Dom0, what is the best way to stop DomUs from access Dom0? Should I just make a "bridge firewall" at the bridge? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Sorry, I think I worded my post wrong. What I meant was is there a way to make sure that the DomUs can''t access the Dom0, i.e. so they are on an isolated network. By default in virt-manager, the Dom0 gets attached to each bridge created... Simply don''t assign an IP to the bridge device in your dom0. -Jeff _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Sorry, I think I worded my post wrong. What I meant was is there a way to make sure that the DomUs can''t access the Dom0, i.e. so they are on an isolated network. By default in virt-manager, the Dom0 gets attached to each bridge created... Simply don''t assign an IP to the bridge device in your dom0. -Jeff ----------------------------------------------------------------------- Excellent And this is secure? Could I make it any better by using ebtables or anything like that? I just want to be careful as my machine will host guests for trusted clients holding sensitive information, as well as non-trusted clients (VPS hosting) Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
-----------------------------------------------------------------------------------------------------------------------> > My main question is though, is that since all bridge are actually > located in the Dom0, what is the best way to stop DomUs from access > Dom0? Should I just make a "bridge firewall" at the bridge? > > Thanks > >In osol is the easy answer just not plumb the nic/etherstub. Florian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
>>> Sorry, I think I worded my post wrong. What I meant was is there away>>> to make sure that the DomUs can''t access the Dom0, i.e. so they >>> are on an isolated network. By default in virt-manager, the Dom0 >>> gets attached to each bridge created...>> Simply don''t assign an IP to the bridge device in your dom0.> And this is secure? Could I make it any better by using ebtables oranything like that? You may want to do other things like disable IP forwarding and make sure there''s nothing else on your network that will route from your domU to your dom0 network. If your dom0 doesn''t have separate physical interfaces, creating VLANs to segregate the networks is helpful. I can''t say whether this is bulletproof, since I don''t follow much research on Xen security. But it''s a starting point, and the one I would choose. -Jeff _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
-----Original Message----- From: Jeff Sturm [mailto:jeff.sturm@eprize.com] Sent: Fri 04/06/2010 17:24 To: Jonathan Tripathy; Xen-users@lists.xensource.com Subject: RE: [Xen-users] Isolated network>>> Sorry, I think I worded my post wrong. What I meant was is there away>>> to make sure that the DomUs can''t access the Dom0, i.e. so they >>> are on an isolated network. By default in virt-manager, the Dom0 >>> gets attached to each bridge created...>> Simply don''t assign an IP to the bridge device in your dom0.> And this is secure? Could I make it any better by using ebtables oranything like that? You may want to do other things like disable IP forwarding and make sure there''s nothing else on your network that will route from your domU to your dom0 network. If your dom0 doesn''t have separate physical interfaces, creating VLANs to segregate the networks is helpful. I can''t say whether this is bulletproof, since I don''t follow much research on Xen security. But it''s a starting point, and the one I would choose. -Jeff ------------------------------------------- Disabling forwarding is a good idea indeed. Bit confused about about the physical interface thing. All my physical interfaces will be passed through to a "firewall DomU", and it was my intention to just create a separate bridge with which the Dom0 would communicate with the firewall. Then there would be another bridge with which the other DomUs would communicate with the firewall. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users