Xen devel - Oct 2007 - Help with monitoring outgoing network traffic

Hi,

I need some pointers. I am very new to XEN, so I am still finding my feet. I
wanted to place some code inside XEN which can create a log & filter the
network requests originating from the machines on top of XEN. Say for
example in case someone sends a request to facebook, I want to block the
request through XEN. Can someone help me out with where I should place such
code.

I am using Ubuntu. I downloaded xen-source-2.6.17
I saw a folder called drivers\xen\netfront.
I guess it interacts with the backend driver. Do I make changes in it?

thanks

raghu

-- 
http://www.public.asu.edu/~rsriniv8/


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Tue, 2007-10-23 at 17:03 -0700, raghunathan srinivasan wrote:
> I saw a folder called drivers\xen\netfront. 
> I guess it interacts with the backend driver. Do I make changes in it?
the answers are "yes, ", and "NO."

without the intend to kill all the joy in your venture: what you''re
looking for is a customary firewall. with xen, i''d suggest to use linux
to do it. no coding required (except, maybe, tricky stuff in the
facebook-specific aspect, that depends). just grep the web for iptables.

the reason is because xen is not much about networking, as it''s not
really about specific classes of devices, including network interfaces.
the VMM itself, as is all xen-specific things inside a linux guest, is
rather about raw resources: cpus, memory, interrupts, and only *very*
basic support in the area of domain intercommunciation.

your network interface is driven by dom0, the initial VM you find in on
the screen once you''ve booted your system. that is basically a linux
kernel with all the features, including a fairly comprehensive
firewalling solution, which does logging and filtering and part of it
even delegated to userland if you want to code custom tricks in a sane
fashion.

dom0 typically drives your network card. that''s (typically) the eth0
device you see in your network setup. all traffic, including any
additional nonprivileged domain, passes dom0.

any other domain X gets a ''netfront'' interface ethY, which is
conceptually connected to a ''netback'' device vifX.Y via what
you may
think of, in network lingo, as a virtual crossover cable:

    dom0: eth0   <-- bridging/nat --> vif1.0 <--- x ---> domU: eth0

the trick is to get the firewall to filter packets as they pass from
eth0 to vifX.Y to the ethY inside the domain you want to restrict -- and
vice versa.
you''ll maybe need to learn a little about topics like NAT and/or 802.1d
bridging, depending on your preferred network setup. then check out
network filtering on linux.

neither is a thing to learn about on xen-devel. for the xen-specific
parts of the equation above, i''d suggest to turn to the xen-users list,
as it hosts more people who are dealing with such issues on a regular
basis.

regards,
daniel

-- 
Daniel Stodden
LRR     -      Lehrstuhl für Rechnertechnik und Rechnerorganisation
Institut für Informatik der TU München             D-85748 Garching
http://www.lrr.in.tum.de/~stodden         mailto:stodden@cs.tum.edu
PGP Fingerprint: F5A4 1575 4C56 E26A 0B33  3D80 457E 82AE B0D8 735B



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi,

thanks for the reply. Actually what I am trying to do is like a firewall
yes. I understand that a Linux OS already provides it. I am trying to
address a threat model where the host OS can be compromised by rootkits and
viruses. And the VMM is not uncompromisable. Basically i want to incorporate
basic packet filtering ability inside the VMM. So that even if a rootkit
tires to open a backend to a remote machine - so its not really facebook
that I am worried about. It cannot do it because the VMM traps that call.

Can someone please help me out on this?

thanks

Raghu

On 10/23/07, Daniel Stodden <stodden@cs.tum.edu>
wrote:
>
>
> On Tue, 2007-10-23 at 17:03 -0700, raghunathan srinivasan wrote:
>
> > I saw a folder called drivers\xen\netfront.
> > I guess it interacts with the backend driver. Do I make changes in it?
>
> the answers are "yes, ", and "NO."
>
> without the intend to kill all the joy in your venture: what
you''re
> looking for is a customary firewall. with xen, i''d suggest to use
linux
> to do it. no coding required (except, maybe, tricky stuff in the
> facebook-specific aspect, that depends). just grep the web for iptables.
>
> the reason is because xen is not much about networking, as it''s
not
> really about specific classes of devices, including network interfaces.
> the VMM itself, as is all xen-specific things inside a linux guest, is
> rather about raw resources: cpus, memory, interrupts, and only *very*
> basic support in the area of domain intercommunciation.
>
> your network interface is driven by dom0, the initial VM you find in on
> the screen once you''ve booted your system. that is basically a
linux
> kernel with all the features, including a fairly comprehensive
> firewalling solution, which does logging and filtering and part of it
> even delegated to userland if you want to code custom tricks in a sane
> fashion.
>
> dom0 typically drives your network card. that''s (typically) the
eth0
> device you see in your network setup. all traffic, including any
> additional nonprivileged domain, passes dom0.
>
> any other domain X gets a ''netfront'' interface ethY,
which is
> conceptually connected to a ''netback'' device vifX.Y via
what you may
> think of, in network lingo, as a virtual crossover cable:
>
>     dom0: eth0   <-- bridging/nat --> vif1.0 <--- x ---> domU:
eth0
>
> the trick is to get the firewall to filter packets as they pass from
> eth0 to vifX.Y to the ethY inside the domain you want to restrict -- and
> vice versa.
> you''ll maybe need to learn a little about topics like NAT and/or
802.1d
> bridging, depending on your preferred network setup. then check out
> network filtering on linux.
>
> neither is a thing to learn about on xen-devel. for the xen-specific
> parts of the equation above, i''d suggest to turn to the xen-users
list,
> as it hosts more people who are dealing with such issues on a regular
> basis.
>
> regards,
> daniel
>
> --
> Daniel Stodden
> LRR     -      Lehrstuhl für Rechnertechnik und Rechnerorganisation
> Institut für Informatik der TU München             D-85748 Garching
> http://www.lrr.in.tum.de/~stodden         mailto:stodden@cs.tum.edu
> PGP Fingerprint: F5A4 1575 4C56 E26A 0B33  3D80 457E 82AE B0D8 735B
>
>
>

-- 
http://www.public.asu.edu/~rsriniv8/


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel