Xen users - Oct 2006 - Securing Xen-Base System

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

since I want to build up a Xen-system with servers in its guest-systems
reliable running, the question about the securing of the base-system / Dom0.

What kind of measures can / should be taken for preventing attacks and
corruption of the system or the hacking from some guest ti the base-system?

Is the network fully secured, if I set up a firewall on the
eth0-Interface, while the (default-)Xen-bridge is running?

Which ways of attacking the base-system exist and have to be controlled?

thanx for hints

GW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFRhbvWgcH1Ne3oGIRAiCTAJ0QtdQ9HJlKPh7xVb1WlfSfKrvtTACcCHKK
FWIq0O2QzKak5yTBXwbV+iY=rJY+
-----END PGP SIGNATURE-----

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 2006-10-30 at 16:14 +0100, Gerhard Wendebourg
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello all,
> 
> since I want to build up a Xen-system with servers in its guest-systems
> reliable running, the question about the securing of the base-system /
Dom0.
> 
> What kind of measures can / should be taken for preventing attacks and
> corruption of the system or the hacking from some guest ti the base-system?
> 
Xen brings some new challenges to the table. In particular you must now
deal with "trusted root" and "un-trusted root" .. meaning,
do you know
and trust the people who have root access to guest systems?
> Is the network fully secured, if I set up a firewall on the
> eth0-Interface, while the (default-)Xen-bridge is running?
> 
Buttoning down ingress on dom-0 is a great start, as for egress, we go
back to how much do you trust the people who have root access to running
guests. 

I can say, no matter what .. if it malloc()''s or occupies a port and
you
don''t really need it, get rid of it on dom-0. Restrict root login via
ssh, force V2, don''t host public sites , etc .. make dom-0 a vault. One
good brute force SSH attack could keep needed things on dom-0 from
forking if its > 128 MB. Lock down ingress to Xend via iptables, deny
from all and only allow from your own machines. Common sense should tell
you the rest.

Typically I leave dom-0 accessible only via private lan, leaving public
access open on a non xen utility box that also has access to that lan. 

I''ve also been known to just use a null modem cable and minicom from
another box to manage dom-0.

A little more information about your setup would be helpful ..
suggestions would really depend on that.

I use Xen mostly in the web hosting industry where anyone with $10 and a
valid (or stolen) credit card gets root on a guest .. so my setups would
seem way over-paranoid to most.. an example being pinning IP->MAC for
every guest to prevent one guest from hijacking another''s IP, ebtables
on the bridges for rate limiting and snort to help stop spam before it
leaves the box. 

I don''t use Shorewall .... nothing against it, but I find with my needs
its easier to write my own scripts.

Best,
-Tim



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users