Fedora xen - Jan 2007 - Internal and external domains on one host

Hi Everyone,

Would I be crazy to use one physical box to run a few internal Xen domU
(stuff for the LAN), and  use the same host to run a few domU in a DMZ
(website, mail, etc.)?  Besides the fact that a DoS attack on the DMZ
domU could slow the domU on the LAN side down to a crawl, is there
anything else that I should be concerned about?

I have a small home office, and want to consolidate my three servers to
two.  Besides saving some electricity, the box in the DMZ is old and
slow - the one I want to consolidate to is _much_ better.  The better
server is already running Xen and a few domU, actually.

Has anyone done this?  A little part of me says it would be fool hardy,
but I can be convinced otherwise!

Thanks in advance,

Ranbir
-- 
Kanwar Ranbir Sandhu
Linux 2.6.18-1.2869.fc6 i686 GNU/Linux 
16:37:22 up 4 days, 5:24, 2 users, load average: 0.84, 0.71, 0.59

On Wed, 2007-01-10 at 16:44 -0500, Kanwar Ranbir Sandhu
wrote:
> Would I be crazy to use one physical box to run a few internal Xen domU
> (stuff for the LAN), and  use the same host to run a few domU in a DMZ
> (website, mail, etc.)?  Besides the fact that a DoS attack on the DMZ
> domU could slow the domU on the LAN side down to a crawl, is there
> anything else that I should be concerned about?
> 
> I have a small home office, and want to consolidate my three servers to
> two.  Besides saving some electricity, the box in the DMZ is old and
> slow - the one I want to consolidate to is _much_ better.  The better
> server is already running Xen and a few domU, actually.
> 
> Has anyone done this?  A little part of me says it would be fool hardy,
> but I can be convinced otherwise!
Does anyone have an opinion on this?  I''m still wondering if
it''s wise
to use one Xen box for domUs in a DMZ and domUs in a trusted network.

Thanks,

Ranbir

-- 
Kanwar Ranbir Sandhu
Linux 2.6.18-1.2869.fc6 i686 GNU/Linux 
00:51:33 up 1 day, 2:15, 2 users, load average: 0.52, 0.34, 0.32

On Fri, 2007-01-19 at 00:54 -0500, Kanwar Ranbir Sandhu
wrote:
> On Wed, 2007-01-10 at 16:44 -0500, Kanwar Ranbir Sandhu wrote:
> > Would I be crazy to use one physical box to run a few internal Xen
domU
> > (stuff for the LAN), and  use the same host to run a few domU in a DMZ
> > (website, mail, etc.)?  Besides the fact that a DoS attack on the DMZ
> > domU could slow the domU on the LAN side down to a crawl, is there
> > anything else that I should be concerned about?
> > 
> > I have a small home office, and want to consolidate my three servers
to
> > two.  Besides saving some electricity, the box in the DMZ is old and
> > slow - the one I want to consolidate to is _much_ better.  The better
> > server is already running Xen and a few domU, actually.
> > 
> > Has anyone done this?  A little part of me says it would be fool
hardy,
> > but I can be convinced otherwise!
> 
> Does anyone have an opinion on this?  I''m still wondering if
it''s wise
> to use one Xen box for domUs in a DMZ and domUs in a trusted network.
> 
> Thanks,
> 
> Ranbir
> 
My opinion of this,

Well If you configure it well I don''t see a problem (as far as I known
xen)

Make shore the can''t hack dom0 keep this ip internal and place only
domU''s in dmz (best via other network card or via vlan''s)
I don''t think that bridging only is save enough when someone hacks a
domU


Mario,