Xen users - Jul 2008 - Creating a DMZ domU

I am going to try to create a domU webserver.  My current setup is dom0
running Centos 5.1 with two ethernet interfaces. One is pcibacked to a
asterisk domU ( and hence invisible in dom0 )and serves as the external
interface there.  The Asterisk domU is my gateway to the internet, default
route, dhcpd server, dns server and ip masquerade server as well.  The
second interface in dom0 is the bridged interface to which all the domUs are
connected (including the Asterisk domU). Everything seems to be working
fine.  I have a simple two interface shorewall configuration in the Asterisk
domU.

My plan is to create a webserver domU and have shorewall run in it as well.
The domU will have default drop policies for all incoming and outgoing
connections.  There will be a rule to allow incoming ssh and outgoing ssh.
There will be a rule for allowing incoming http as well. The webserver domU
will only have one interface, and that is the bridged interface from domO.

In the Asterisk domU, I can write a DNAT rule to port forward http
connections from the internet to the webserver domU.

It seems that this should work If xen domUs really behave as if they are
independent LAN hosts which so far they have in my setup.  My only question
is how secure is this?.  Incoming connections from the internet for http
port will be forwarded to a bridged interface. Or maybe this is where things
will break.

Anybody care to comment?

    Thanks
Chris


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Sat, Jul 12, 2008 at 11:44 PM, Christopher Isip <cmisip@gmail.com>
wrote:
> I am going to try to create a domU webserver.  My current setup is dom0
> running Centos 5.1 with two ethernet interfaces. One is pcibacked to a
> asterisk domU ( and hence invisible in dom0 )and serves as the external
> interface there.  The Asterisk domU is my gateway to the internet, default
> route, dhcpd server, dns server and ip masquerade server as well.  The
> second interface in dom0 is the bridged interface to which all the domUs
are
> connected (including the Asterisk domU). Everything seems to be working
> fine.  I have a simple two interface shorewall configuration in the
Asterisk
> domU.
>
> My plan is to create a webserver domU and have shorewall run in it as
> well.  The domU will have default drop policies for all incoming and
> outgoing connections.  There will be a rule to allow incoming ssh and
> outgoing ssh.  There will be a rule for allowing incoming http as well. The
> webserver domU will only have one interface, and that is the bridged
> interface from domO.
>
> In the Asterisk domU, I can write a DNAT rule to port forward http
> connections from the internet to the webserver domU.
>
> It seems that this should work If xen domUs really behave as if they are
> independent LAN hosts which so far they have in my setup.  My only question
> is how secure is this?.  Incoming connections from the internet for http
> port will be forwarded to a bridged interface. Or maybe this is where
things
> will break.
>
> Anybody care to comment?
>
>     Thanks
> Chris
>
> I just realized that iptables on a dmz is useless.  If an attacker gains
access, the iptables rules could be rewritten and the dmz could be used to
access the network.  Rather the other hosts need to have default rejectd
policies for the DMZ host.  But I would rather not implement a firewall for
each of the other hosts.  My thinking is that perhaps I should not give the
DMZ host a vif interface that is bridged to a physical ethernet device.  If
its possible to create a bridge interface without any physical ethernet
cards attached to it, I could then present vif1 to the Asterisk domU and
vif2 to the DMZ and have the Asterisk domU be the gateway to the rest of the
lan and domUs.  I would simply convert to a three interface shorewall
configuration in the Asterisk domU with one interface net, the other local
and the third DMZ.

Chris


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Sun, 2008-07-13 at 23:06 -0400, Christopher Isip
wrote:
> 
> 
> On Sat, Jul 12, 2008 at 11:44 PM, Christopher Isip <cmisip@gmail.com>
> wrote:
>         I am going to try to create a domU webserver.  My current
>         setup is dom0 running Centos 5.1 with two ethernet interfaces.
>         One is pcibacked to a asterisk domU ( and hence invisible in
>         dom0 )and serves as the external interface there.  The
>         Asterisk domU is my gateway to the internet, default route,
>         dhcpd server, dns server and ip masquerade server as well.
>         The second interface in dom0 is the bridged interface to which
>         all the domUs are connected (including the Asterisk domU).
>         Everything seems to be working fine.  I have a simple two
>         interface shorewall configuration in the Asterisk domU.  
>         
>         My plan is to create a webserver domU and have shorewall run
>         in it as well.  The domU will have default drop policies for
>         all incoming and outgoing connections.  There will be a rule
>         to allow incoming ssh and outgoing ssh.  There will be a rule
>         for allowing incoming http as well. The webserver domU will
>         only have one interface, and that is the bridged interface
>         from domO.
>         
>         In the Asterisk domU, I can write a DNAT rule to port forward
>         http connections from the internet to the webserver domU. 
>         
>         It seems that this should work If xen domUs really behave as
>         if they are independent LAN hosts which so far they have in my
>         setup.  My only question is how secure is this?.  Incoming
>         connections from the internet for http port will be forwarded
>         to a bridged interface. Or maybe this is where things will
>         break.    
>         
>         Anybody care to comment?
>         
>             Thanks
>         Chris
>         
> I just realized that iptables on a dmz is useless.  If an attacker
> gains access, the iptables rules could be rewritten and the dmz could
> be used to access the network.  Rather the other hosts need to have
> default rejectd policies for the DMZ host.  But I would rather not
> implement a firewall for each of the other hosts.  My thinking is that
> perhaps I should not give the DMZ host a vif interface that is bridged
> to a physical ethernet device.  If its possible to create a bridge
> interface without any physical ethernet cards attached to it, I could
> then present vif1 to the Asterisk domU and vif2 to the DMZ and have
> the Asterisk domU be the gateway to the rest of the lan and domUs.  I
> would simply convert to a three interface shorewall configuration in
> the Asterisk domU with one interface net, the other local and the
> third DMZ.
> 
> Chris
<snip>
We have done quite a bit of this in our work on the ISCS network
security management project (http://iscs.sourceforge.net).  However, our
preference is always for a separate physical device for the Internet
gateway both for security and for management.  If something happens to
the dom0, we still have a way into the internal network to allow us to
try to troubleshoot the dom0 without sending anyone on site.

When severe budget constraints force us to use a single device, we''ve
always done this with three interface cards (Internet, internal and DMZ)
so packets moving from one network to the other must pass through
iptables and a user who has compromised the firewall cannot sniff the
physical device for other logical networks.  We usually also lock down
the dom0 to only allow ssh.

Of course, if someone has compromised the firewall, one is probably in
pretty serious trouble already so we try to run some form of HIDS (Host
Intrusion Detection System) on our firewalls as well.  Hope this helps -
John
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, Jul 14, 2008 at 6:24 AM, John A. Sullivan III <
jsullivan@opensourcedevel.com> wrote:
> On Sun, 2008-07-13 at 23:06 -0400, Christopher Isip wrote:
> >
> >
> > On Sat, Jul 12, 2008 at 11:44 PM, Christopher Isip
<cmisip@gmail.com>
> > wrote:
> >         I am going to try to create a domU webserver.  My current
> >         setup is dom0 running Centos 5.1 with two ethernet interfaces.
> >         One is pcibacked to a asterisk domU ( and hence invisible in
> >         dom0 )and serves as the external interface there.  The
> >         Asterisk domU is my gateway to the internet, default route,
> >         dhcpd server, dns server and ip masquerade server as well.
> >         The second interface in dom0 is the bridged interface to which
> >         all the domUs are connected (including the Asterisk domU).
> >         Everything seems to be working fine.  I have a simple two
> >         interface shorewall configuration in the Asterisk domU.
> >
> >         My plan is to create a webserver domU and have shorewall run
> >         in it as well.  The domU will have default drop policies for
> >         all incoming and outgoing connections.  There will be a rule
> >         to allow incoming ssh and outgoing ssh.  There will be a rule
> >         for allowing incoming http as well. The webserver domU will
> >         only have one interface, and that is the bridged interface
> >         from domO.
> >
> >         In the Asterisk domU, I can write a DNAT rule to port forward
> >         http connections from the internet to the webserver domU.
> >
> >         It seems that this should work If xen domUs really behave as
> >         if they are independent LAN hosts which so far they have in my
> >         setup.  My only question is how secure is this?.  Incoming
> >         connections from the internet for http port will be forwarded
> >         to a bridged interface. Or maybe this is where things will
> >         break.
> >
> >         Anybody care to comment?
> >
> >             Thanks
> >         Chris
> >
> > I just realized that iptables on a dmz is useless.  If an attacker
> > gains access, the iptables rules could be rewritten and the dmz could
> > be used to access the network.  Rather the other hosts need to have
> > default rejectd policies for the DMZ host.  But I would rather not
> > implement a firewall for each of the other hosts.  My thinking is that
> > perhaps I should not give the DMZ host a vif interface that is bridged
> > to a physical ethernet device.  If its possible to create a bridge
> > interface without any physical ethernet cards attached to it, I could
> > then present vif1 to the Asterisk domU and vif2 to the DMZ and have
> > the Asterisk domU be the gateway to the rest of the lan and domUs.  I
> > would simply convert to a three interface shorewall configuration in
> > the Asterisk domU with one interface net, the other local and the
> > third DMZ.
> >
> > Chris
> <snip>
> We have done quite a bit of this in our work on the ISCS network
> security management project (http://iscs.sourceforge.net).  However, our
> preference is always for a separate physical device for the Internet
> gateway both for security and for management.  If something happens to
> the dom0, we still have a way into the internal network to allow us to
> try to troubleshoot the dom0 without sending anyone on site.
>
> When severe budget constraints force us to use a single device,
we''ve
> always done this with three interface cards (Internet, internal and DMZ)
> so packets moving from one network to the other must pass through
> iptables and a user who has compromised the firewall cannot sniff the
> physical device for other logical networks.  We usually also lock down
> the dom0 to only allow ssh.
>
> Of course, if someone has compromised the firewall, one is probably in
> pretty serious trouble already so we try to run some form of HIDS (Host
> Intrusion Detection System) on our firewalls as well.  Hope this helps -
> John
> >
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
>
>
I managed to get things up and running.  I used three interfaces for the
Asterisk domU : external (internet), local (eth0 bridge), dmz (bridge with
no physical nic).  Seems to be working fine and I can access the dmz
webserver from the internet.  My other question would be: is dom0 in danger
since the dmz bridge is created in dom0 and there is really no firewalling
there.

Thanks
Chris


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Christopher Isip wrote:

  On Mon, Jul 14, 2008 at 6:24 AM, John A.
Sullivan III <jsullivan@opensourcedevel.com>
wrote:

    On Sun, 2008-07-13 at 23:06 -0400, Christopher
Isip wrote:

>

>

> On Sat, Jul 12, 2008 at 11:44 PM, Christopher Isip
<cmisip@gmail.com>

> wrote:

>         I am going to try to create a domU webserver.  My current

>         setup is dom0 running Centos 5.1 with two ethernet
interfaces.

>         One is pcibacked to a asterisk domU ( and hence invisible
in

>         dom0 )and serves as the external interface there.  The

>         Asterisk domU is my gateway to the internet, default route,

>         dhcpd server, dns server and ip masquerade server as well.

>         The second interface in dom0 is the bridged interface to
which

>         all the domUs are connected (including the Asterisk domU).

>         Everything seems to be working fine.  I have a simple two

>         interface shorewall configuration in the Asterisk domU.

>

>         My plan is to create a webserver domU and have shorewall
run

>         in it as well.  The domU will have default drop policies
for

>         all incoming and outgoing connections.  There will be a
rule

>         to allow incoming ssh and outgoing ssh.  There will be a
rule

>         for allowing incoming http as well. The webserver domU will

>         only have one interface, and that is the bridged interface

>         from domO.

>

>         In the Asterisk domU, I can write a DNAT rule to port
forward

>         http connections from the internet to the webserver domU.

>

>         It seems that this should work If xen domUs really behave
as

>         if they are independent LAN hosts which so far they have
in my

>         setup.  My only question is how secure is this?.  Incoming

>         connections from the internet for http port will be
forwarded

>         to a bridged interface. Or maybe this is where things will

>         break.

>

>         Anybody care to comment?

>

>             Thanks

>         Chris

>

> I just realized that iptables on a dmz is useless.  If an attacker

> gains access, the iptables rules could be rewritten and the dmz
could

> be used to access the network.  Rather the other hosts need to have

> default rejectd policies for the DMZ host.  But I would rather not

> implement a firewall for each of the other hosts.  My thinking is
that

> perhaps I should not give the DMZ host a vif interface that is
bridged

> to a physical ethernet device.  If its possible to create a bridge

> interface without any physical ethernet cards attached to it, I
could

> then present vif1 to the Asterisk domU and vif2 to the DMZ and have

> the Asterisk domU be the gateway to the rest of the lan and domUs.
 I

> would simply convert to a three interface shorewall configuration
in

> the Asterisk domU with one interface net, the other local and the

> third DMZ.

>

> Chris

We have done quite a bit of this in our work on the ISCS network

security management project (http://iscs.sourceforge.net).
 However, our

preference is always for a separate physical device for the Internet

gateway both for security and for management.  If something happens to

the dom0, we still have a way into the internal network to allow us to

try to troubleshoot the dom0 without sending anyone on site.

When severe budget constraints force us to use a single device, we''ve

always done this with three interface cards (Internet, internal and DMZ)

so packets moving from one network to the other must pass through

iptables and a user who has compromised the firewall cannot sniff the

physical device for other logical networks.  We usually also lock down

the dom0 to only allow ssh.

Of course, if someone has compromised the firewall, one is probably in

pretty serious trouble already so we try to run some form of HIDS (Host

Intrusion Detection System) on our firewalls as well.  Hope this helps -

John

>

    --

John A. Sullivan III

Open Source Development Corporation

+1 207-985-7880

    jsullivan@opensourcedevel.com

    http://www.spiritualoutreach.com

Making Christianity intelligible to secular society

I managed to get things up and running.  I used three interfaces for
the Asterisk domU : external (internet), local (eth0 bridge), dmz
(bridge with no physical nic).  Seems to be working fine and I can
access the dmz webserver from the internet.  My other question would
be: is dom0 in danger since the dmz bridge is created in dom0 and there
is really no firewalling there.  

Thanks

Chris

Normally not. There is no way for the ''outside'' network to
address your
dom0 machine. If it does not have an IP address on the external bridge
that is


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

>
>
>  Normally not. There is no way for the ''outside'' network
to address your
> dom0 machine. If it does not have an IP address on the external bridge that
> is
>
If the dmz is compromised though, the attacker would have access to the dmz
bridge and all hosts connected to it right?.  This should exclude dom0 since
there is no interface in dom0 attached to the dmz bridge (xenbrD).  Is this
correct?


[root@mymainserver ~]# brctl show
bridge name    bridge id        STP enabled    interfaces
eth0        8000.00146c30c25a    no        vif8.0
                            vif7.0
                            vif6.0
                            vif5.0
                            vif4.0
                            vif3.0
                            vif2.0
                            vif1.0
                            peth0
virbr0        8000.000000000000    yes
xenbrD        8000.feffffffffff    no        vif11.0
                            vif2.1

I believe in the above vif1.0 is probably attached to the asterisk domU
while vif2.1 is to the dmz domU though I dont know how to check for sure.  I
did not manually enslave a dom0 interface to the xenbrD bridge when I
created it.

Thanks
Chris


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Wed, 2008-07-16 at 07:19 -0400, Christopher Isip
wrote:
> 
>         > 
>         > 
>         > 
>         Normally not. There is no way for the ''outside''
network to
>         address your dom0 machine. If it does not have an IP address
>         on the external bridge that is
>         
> 
> If the dmz is compromised though, the attacker would have access to
> the dmz bridge and all hosts connected to it right?.  This should
> exclude dom0 since there is no interface in dom0 attached to the dmz
> bridge (xenbrD).  Is this correct?
> 
> 
> [root@mymainserver ~]# brctl show
> bridge name    bridge id        STP enabled    interfaces
> eth0        8000.00146c30c25a    no        vif8.0
>                             vif7.0
>                             vif6.0
>                             vif5.0
>                             vif4.0
>                             vif3.0
>                             vif2.0
>                             vif1.0
>                             peth0
> virbr0        8000.000000000000    yes        
> xenbrD        8000.feffffffffff    no        vif11.0
>                             vif2.1
> 
> I believe in the above vif1.0 is probably attached to the asterisk
> domU while vif2.1 is to the dmz domU though I dont know how to check
> for sure.  I did not manually enslave a dom0 interface to the xenbrD
> bridge when I created it.
> 
> Thanks
> Chris
<snip>
Hmm . . . I''m not sure how this would work.  I suppose it might be best
to pretend to be the bad guy.  If you run a sniffer (tcpdump, wireshark)
in promiscuous mode on the DMZ server, what do you see? Anything that
would give clues to the internal network?

If you have console access on the DMZ server and you know where you want
to go on the internal network (from sniffing the wire), can you get
there unfettered? Just a few thoughts.  Let me know how you fare :) -
John
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Wed, Jul 16, 2008 at 11:26 AM, John A. Sullivan III <
jsullivan@opensourcedevel.com> wrote:
> On Wed, 2008-07-16 at 07:19 -0400, Christopher Isip wrote:
> >
> >         >
> >         >
> >         >
> >         Normally not. There is no way for the
''outside'' network to
> >         address your dom0 machine. If it does not have an IP address
> >         on the external bridge that is
> >
> >
> > If the dmz is compromised though, the attacker would have access to
> > the dmz bridge and all hosts connected to it right?.  This should
> > exclude dom0 since there is no interface in dom0 attached to the dmz
> > bridge (xenbrD).  Is this correct?
> >
> >
> > [root@mymainserver ~]# brctl show
> > bridge name    bridge id        STP enabled    interfaces
> > eth0        8000.00146c30c25a    no        vif8.0
> >                             vif7.0
> >                             vif6.0
> >                             vif5.0
> >                             vif4.0
> >                             vif3.0
> >                             vif2.0
> >                             vif1.0
> >                             peth0
> > virbr0        8000.000000000000    yes
> > xenbrD        8000.feffffffffff    no        vif11.0
> >                             vif2.1
> >
> > I believe in the above vif1.0 is probably attached to the asterisk
> > domU while vif2.1 is to the dmz domU though I dont know how to check
> > for sure.  I did not manually enslave a dom0 interface to the xenbrD
> > bridge when I created it.
> >
> > Thanks
> > Chris
> <snip>
> Hmm . . . I''m not sure how this would work.  I suppose it might be
best
> to pretend to be the bad guy.  If you run a sniffer (tcpdump, wireshark)
> in promiscuous mode on the DMZ server, what do you see? Anything that
> would give clues to the internal network?
>
> If you have console access on the DMZ server and you know where you want
> to go on the internal network (from sniffing the wire), can you get
> there unfettered? Just a few thoughts.  Let me know how you fare :) -
> John
> >
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
>
You make a good point. I dont know much about interpreting tcpdump output,
but I could see that one could gleam some information about the lan network
structure from watching tcpdump.   I put a drop policy from the Asterisk
domU to DMZ as well as from LAN to DMZ.   The only pipe open now is the ssh
pipe and the https port forward from the internet.  I still would like to
know if there is anything I need to do in dom0 for the xenbrD bridge.  Or is
it already secure by virtue of not having any dom0 interfaces enslaved to
it.

Thanks
Chris


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> You make a good point. I dont know much about interpreting tcpdump
> output, ...
wireshark (gui application) comes to mind (more human readable) - if you
can run X...

Vlad

Please access the attached hyperlink for an important electronic communications
disclaimer: http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users