Hi Everyone, My Xen host currently run DomUs which contain some very sensitive information, used by our company. I wish to use the same server to host some VMs for some customers. If we assume that networking is set up securely, are there any other risks that I should worry about? Is Xen secure regarding "breaking out" of the VM? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 15/07/10 23:49, Jonathan Tripathy wrote:> Hi Everyone, > > My Xen host currently run DomUs which contain some very sensitive > information, used by our company. I wish to use the same server to > host some VMs for some customers. If we assume that networking is set > up securely, are there any other risks that I should worry about? > > Is Xen secure regarding "breaking out" of the VM? > > Thanks > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-usersI''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I have no idea how you could actually PROVE that there''s no possible way someone could break out of a dom U into the dom 0. As I''ve written before, since Xen is out and about in such a large way (being the underpinning of Amazon EC2) that if there was a major risk of this, we''d have seen it happen already. Vern Burke SwiftWater Telecom http://www.swiftwatertel.com ISP/CLEC Engineering Services Data Center Services Remote Backup Services On 7/15/2010 7:07 PM, Jonathan Tripathy wrote:> > On 15/07/10 23:49, Jonathan Tripathy wrote: >> Hi Everyone, >> >> My Xen host currently run DomUs which contain some very sensitive >> information, used by our company. I wish to use the same server to >> host some VMs for some customers. If we assume that networking is set >> up securely, are there any other risks that I should worry about? >> >> Is Xen secure regarding "breaking out" of the VM? >> >> Thanks >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > I''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Jul 15, 2010 at 11:49:02PM +0100, Jonathan Tripathy wrote:> Hi Everyone, > > My Xen host currently run DomUs which contain some very sensitive > information, used by our company. I wish to use the same server to > host some VMs for some customers. If we assume that networking is > set up securely, are there any other risks that I should worry > about?Maybe you should ask yourself this question: what is the cost of using a separate server for your customers'' VM, versus the cost of leaking the sensitive information, if anything happens? Side channel attacks are still a possibility, I think. Leaking information via storage reuse is still a possibility, depending on your storage. So on… regards, iustin _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Vern, So you think I should just set up my networking properly and forget about the rest? Do you feel it ok to share the same Xen host with internal VMs with public VMs? Thanks On 16/07/10 02:10, Vern Burke wrote:> I have no idea how you could actually PROVE that there''s no possible > way someone could break out of a dom U into the dom 0. As I''ve written > before, since Xen is out and about in such a large way (being the > underpinning of Amazon EC2) that if there was a major risk of this, > we''d have seen it happen already. > > Vern Burke > > SwiftWater Telecom > http://www.swiftwatertel.com > ISP/CLEC Engineering Services > Data Center Services > Remote Backup Services > > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote: >> >> On 15/07/10 23:49, Jonathan Tripathy wrote: >>> Hi Everyone, >>> >>> My Xen host currently run DomUs which contain some very sensitive >>> information, used by our company. I wish to use the same server to >>> host some VMs for some customers. If we assume that networking is set >>> up securely, are there any other risks that I should worry about? >>> >>> Is Xen secure regarding "breaking out" of the VM? >>> >>> Thanks >>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@lists.xensource.com >>> http://lists.xensource.com/xen-users >> >> I''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >>_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
e sender if you believe you have received this email in error. On 16/07/10 07:07, Iustin Pop wrote:> On Thu, Jul 15, 2010 at 11:49:02PM +0100, Jonathan Tripathy wrote: > >> Hi Everyone, >> >> My Xen host currently run DomUs which contain some very sensitive >> information, used by our company. I wish to use the same server to >> host some VMs for some customers. If we assume that networking is >> set up securely, are there any other risks that I should worry >> about? >> > Maybe you should ask yourself this question: what is the cost of using a > separate server for your customers'' VM, versus the cost of leaking the > sensitive information, if anything happens? > > Side channel attacks are still a possibility, I think. Leaking > information via storage reuse is still a possibility, depending on your > storage. So on… > > regards, > iustin >Can you please explain to me some of these "side channel attacks"? I''ve never heard of "storage reuse" before? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, Jul 16, 2010 at 12:49 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> Hi Everyone, > > My Xen host currently run DomUs which contain some very sensitive > information, used by our company. I wish to use the same server to host some > VMs for some customers. If we assume that networking is set up securely, are > there any other risks that I should worry about? > > Is Xen secure regarding "breaking out" of the VM? > > Thanks > > _______________________________________________a XEN domU is "just another PC", when it comes to the networking side of things. i.e. a user can "breakout" if he wants to and ultimately you should handle the network security as you would with normal servers. How do you secure your normal sensitive network server from client servers? Deal with XEN in the same way :) Setup decent firewalling. We actually put some of our sensitive domU''s on a different network subnet, and block routing from client VM''s to that subnet. So if they wanted to break in, they would have todo it from outside our network, at which point our firewalls take care of the rest. -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Office: 087 805 9573 Cell: 082 554 7532 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
How do you secure your normal sensitive network server from client servers? Deal with XEN in the same way :) Setup decent firewalling. We actually put some of our sensitive domU''s on a different network subnet, and block routing from client VM''s to that subnet. So if they wanted to break in, they would have todo it from outside our network, at which point our firewalls take care of the rest. -------------------------------------------------------------------------------------------------- Hi Rudi, Even though all internal and customer (untrusted) VMs are on the same box, there is indeed firewalling between them. I have a pfsense firewall domU set up, as well as iptables on the Dom0, to prevent the public VMs from accessing the internal ones. The public VMs are on a public subnet (which is actually bridged with the "WAN" side of the firewall), while the internal ones are on a private subnet, so breaking in would have to be done from "outside" the firewall as well. My main concern was some Xen exploit that would allow a DomU user access to Dom0... Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy wrote:>Can you please explain to me some of these "side channel attacks"?At some points, the guest and host are communicating, not to mention that for a lot of the time, the guest is using the processor. If there is a bug in Xen somewhere, then it''s conceivable that the guest could exploit this in several ways. One is simply to subvert the communications between the guest and the host - things like buffer overflows, code injection, etc that could be used to manipulate the host into doing something that it''s not supposed to. If a guest can somehow get control of the host then all security is out of the windows since the host has "super god" access to everything on the machine. If the guest can somehow subvert the security settings in the processor then it could break out of it''s virtual processor jail and have access to the whole machine. Once again, if that happens, then all your security goes out of the window. Personally I don''t think the risks are high, but these are complex systems running complex code. Even the "big boys" can get things wrong - remember the Pentium floating point bug that slipped through all Intel''s testing ?>I''ve never heard of "storage reuse" before?You have some storage used for task A. Task A is no longer required and you destroy it. You now have a need for Task B and allocate it some storage. Unless you fully wipe the space, then the storage allocated to Task B may contain data previously used by Task A. This isn''t Xen specific, the same thing happens if you reuse any storage in any form without sanitising it first. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy wrote:>Can you please explain to me some of these "side channel attacks"?At some points, the guest and host are communicating, not to mention that for a lot of the time, the guest is using the processor. If there is a bug in Xen somewhere, then it''s conceivable that the guest could exploit this in several ways. One is simply to subvert the communications between the guest and the host - things like buffer overflows, code injection, etc that could be used to manipulate the host into doing something that it''s not supposed to. If a guest can somehow get control of the host then all security is out of the windows since the host has "super god" access to everything on the machine. If the guest can somehow subvert the security settings in the processor then it could break out of it''s virtual processor jail and have access to the whole machine. Once again, if that happens, then all your security goes out of the window. Personally I don''t think the risks are high, but these are complex systems running complex code. Even the "big boys" can get things wrong - remember the Pentium floating point bug that slipped through all Intel''s testing ?>I''ve never heard of "storage reuse" before?You have some storage used for task A. Task A is no longer required and you destroy it. You now have a need for Task B and allocate it some storage. Unless you fully wipe the space, then the storage allocated to Task B may contain data previously used by Task A. This isn''t Xen specific, the same thing happens if you reuse any storage in any form without sanitising it first. - -- Simon Hobson ----------------------------------------------------------------------------------------------------------------------------------- Hi Simon, Regarding storage "reuse", I''m guessing the best thing that I can do is zero an LV (dd if=/dev/zero of=/dev/vg/lvx) before assigning it to a public VM? Regarding the other things, are there any unpatched known exploits in Xen? I believe that the lady that made the "Blue Pill" found one, but I think that was patched? Is there anything I can do? Or should I just relax? It''s funny that when I was using VMWare ESXi, I (any many others) were happy to mix internal and public VMs on the same machine, all because it was backed by a big company. I''m guessing the same risks apply to Xen as they do VMWare? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, Jul 16, 2010 at 3:32 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> I''m guessing the same risks apply to Xen as they do > VMWare?in general, yes. As for vendor support, Redhat has been very responsive in fixing whatever security bug that comes up (like http://www.securitytracker.com/alerts/2009/Oct/1022977.html), so if you''re concerned about that, I suggest using RHEL/Centos and their bundled Xen/kernel-xen version (which might be somewhat old, but should be sufficient for most uses). I also suggest you do whatever security measures you normally do in your normal, non-virtual environment. Think of domU as just another server, and dom0 as SAN/switch/router/firewall. For example, if you never bother to rewrite a SAN''s LUN with 0s before reusing it on another host, then I don''t see why you should bother writing 0s to an LV that will be used by Xen. Another example, if you''re comfortable having a single firewall box and switch used by all traffic on your network (using vlans), then I don''t see why you should treat Xen networking differently. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, Jul 16, 2010 at 3:32 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> I''m guessing the same risks apply to Xen as they do > VMWare?in general, yes. As for vendor support, Redhat has been very responsive in fixing whatever security bug that comes up (like http://www.securitytracker.com/alerts/2009/Oct/1022977.html), so if you''re concerned about that, I suggest using RHEL/Centos and their bundled Xen/kernel-xen version (which might be somewhat old, but should be sufficient for most uses). I also suggest you do whatever security measures you normally do in your normal, non-virtual environment. Think of domU as just another server, and dom0 as SAN/switch/router/firewall. For example, if you never bother to rewrite a SAN''s LUN with 0s before reusing it on another host, then I don''t see why you should bother writing 0s to an LV that will be used by Xen. Another example, if you''re comfortable having a single firewall box and switch used by all traffic on your network (using vlans), then I don''t see why you should treat Xen networking differently. -- Fajar ----------------------------------------------------------------------------------------------------------------------------------------------------------- Hi Fajar, I am using CentOS 5.5 with the stock Xen kernel that came with it, however I''m using Xen 3.4.2 from gitco.de - think this is safe enough? I''m fairly sure that my network setup is secure. I''m using iptables to prevent IP spoofing, and using ebtables to prevent MAC spoofing. A firewall DomU (pfsense) has WAN, LAN, DMZ and PUBLIC interfaces. WAN and PUBLIC are bridged (For the customers'' public VMs). The DMZ subnet only allows certain needed incoming ports from the internet (via NAT port forwarding), and outbound is also restricted to what''s only needed. The LAN subnet doesn''t allow any incoming ports from the internet. Ports between DMZ and LAN are also only open on a "need to" basis. I''ve been told that since my Public and DMZ bridges in the Dom0 have no IP addresses, it is impossible for the Dom0 to route traffic between them without going through the firewall DomU. What you think? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Friday 16 July 2010 09:05:43 Jonathan Tripathy wrote:> Hi Vern, > > So you think I should just set up my networking properly and forget > about the rest? Do you feel it ok to share the same Xen host with > internal VMs with public VMs? > > Thanks > > On 16/07/10 02:10, Vern Burke wrote: > > I have no idea how you could actually PROVE that there''s no possible > > way someone could break out of a dom U into the dom 0. As I''ve written > > before, since Xen is out and about in such a large way (being the > > underpinning of Amazon EC2) that if there was a major risk of this, > > we''d have seen it happen already. > > > > Vern Burke > > > > SwiftWater Telecom > > http://www.swiftwatertel.com > > ISP/CLEC Engineering Services > > Data Center Services > > Remote Backup Services > > > > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote: > >> On 15/07/10 23:49, Jonathan Tripathy wrote: > >>> Hi Everyone, > >>> > >>> My Xen host currently run DomUs which contain some very sensitive > >>> information, used by our company. I wish to use the same server to > >>> host some VMs for some customers. If we assume that networking is set > >>> up securely, are there any other risks that I should worry about? > >>> > >>> Is Xen secure regarding "breaking out" of the VM? > >>> > >>> Thanks > >>> > >>> _______________________________________________ > >>> Xen-users mailing list > >>> Xen-users@lists.xensource.com > >>> http://lists.xensource.com/xen-users > >> > >> I''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. > >> > >> _______________________________________________ > >> Xen-users mailing list > >> Xen-users@lists.xensource.com > >> http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >The "distance" in between the hosts should be maximized, being a seperate routed networks, seperate storage etc to have the risks minimized. Personally, I would not mix the two, unless having spent a LOT of time in isolating things, just as you would do with two physical hosts. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
The "distance" in between the hosts should be maximized, being a seperate routed networks, seperate storage etc to have the risks minimized. Personally, I would not mix the two, unless having spent a LOT of time in isolating things, just as you would do with two physical hosts. -------------------------------------------------------------------------------------------------------------- Well even though they are on the same machine, they are indeed on seperate routed networks/bridges (Public ones have public IPS, internal ones have private IPs). The VMs will share storage though, however I''ll remember to zero the LVs before giving them to customers. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Friday 16 July 2010 11:24:08 Jonathan Tripathy wrote:> On Fri, Jul 16, 2010 at 3:32 PM, Jonathan Tripathy <jonnyt@abpni.co.uk>wrote:> > I''m guessing the same risks apply to Xen as they do > > VMWare? > > in general, yes. As for vendor support, Redhat has been very > responsive in fixing whatever security bug that comes up (like > http://www.securitytracker.com/alerts/2009/Oct/1022977.html), so if > you''re concerned about that, I suggest using RHEL/Centos and their > bundled Xen/kernel-xen version (which might be somewhat old, but > should be sufficient for most uses). > > I also suggest you do whatever security measures you normally do in > your normal, non-virtual environment. Think of domU as just another > server, and dom0 as SAN/switch/router/firewall. > > For example, if you never bother to rewrite a SAN''s LUN with 0s before > reusing it on another host, then I don''t see why you should bother > writing 0s to an LV that will be used by Xen. Another example, if > you''re comfortable having a single firewall box and switch used by all > traffic on your network (using vlans), then I don''t see why you should > treat Xen networking differently. > > -- > Fajar > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > ----- > > > Hi Fajar, > > I am using CentOS 5.5 with the stock Xen kernel that came with it, however > I''m using Xen 3.4.2 from gitco.de - think this is safe enough? > > I''m fairly sure that my network setup is secure. I''m using iptables to > prevent IP spoofing, and using ebtables to prevent MAC spoofing. A > firewall DomU (pfsense) has WAN, LAN, DMZ and PUBLIC interfaces. WAN and > PUBLIC are bridged (For the customers'' public VMs). The DMZ subnet only > allows certain needed incoming ports from the internet (via NAT port > forwarding), and outbound is also restricted to what''s only needed. The > LAN subnet doesn''t allow any incoming ports from the internet. Ports > between DMZ and LAN are also only open on a "need to" basis. I''ve been > told that since my Public and DMZ bridges in the Dom0 have no IP > addresses, it is impossible for the Dom0 to route traffic between them > without going through the firewall DomU. > > What you think? > > Thanks >Jonathan, I will "psychologically" shortcut your question :-) : you actually really want to do this and you need approval by someone of the list. This is not a good way to handle this matter. Think of the consequences of a security breach, then think about the expenses to avoid this and then come to a conclusion. What you are doing is bottom-up: you have your infrastructure and you wonder if you can bend it in such a way it will give you peace of mind. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan, I will "psychologically" shortcut your question :-) : you actually really want to do this and you need approval by someone of the list. This is not a good way to handle this matter. Think of the consequences of a security breach, then think about the expenses to avoid this and then come to a conclusion. What you are doing is bottom-up: you have your infrastructure and you wonder if you can bend it in such a way it will give you peace of mind. ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Bart, I''m asking here because I am not aware of any Xen exploits and breechs, and I am trying to do research. I can''t find anything useful on Google. I really do feel that even if I did seperate everything onto seperate boxes, the matter still woudn''t be resolved, as if one customer "broke out" of their VM, they could steal other customer''s data. Infact, I would nearly say that would be worse than if my data was stolen, as if it were my data that was stolen, I would only have myself to blame... Even seperating storage woudn''t really help in this matter, as storage would still be shared among several VMs. It gets to the stage where the only secure thing to do is to avoid Xen altogether, and offer dedicated servers. Of course, this is not the thing that I want to do. There are many people on this list that offer VPS hosting services to untrusted customers, and I''m trying to guage what measures they take (if any) to prevent such exploits. From what I gather, no one does anything, except keep their network secure. As someone mentioned, Amazon EC2 use Xen, and if there was an exploit, we would have heard about it by now... _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Friday 16 July 2010 12:12:45 Jonathan Tripathy wrote:> Jonathan, I will "psychologically" shortcut your question :-) : you > actually really want to do this and you need approval by someone of the > list. This is not a good way to handle this matter. Think of the > consequences of a security breach, then think about the expenses to avoid > this and then come to a conclusion. What you are doing is bottom-up: you > have your infrastructure and you wonder if you can bend it in such a way > it will give you peace of mind. > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > ----------- > > Bart, I''m asking here because I am not aware of any Xen exploits and > breechs, and I am trying to do research. I can''t find anything useful on > Google. I really do feel that even if I did seperate everything onto > seperate boxes, the matter still woudn''t be resolved, as if one customer > "broke out" of their VM, they could steal other customer''s data. Infact, I > would nearly say that would be worse than if my data was stolen, as if it > were my data that was stolen, I would only have myself to blame... > > Even seperating storage woudn''t really help in this matter, as storage > would still be shared among several VMs. > > It gets to the stage where the only secure thing to do is to avoid Xen > altogether, and offer dedicated servers. Of course, this is not the thing > that I want to do. > > There are many people on this list that offer VPS hosting services to > untrusted customers, and I''m trying to guage what measures they take (if > any) to prevent such exploits. From what I gather, no one does anything, > except keep their network secure. As someone mentioned, Amazon EC2 use > Xen, and if there was an exploit, we would have heard about it by now... >I think the challenges are bigger than with separate physicals boxes. You have to approach from a theoretical point of view. It''s not that because there are no breaches or exploits today, that there will never be. The theory is this: maximum seclusion is maximum security. Two separate boxes in two separate networks in let''s say two separate buildings (physical security is also part of the game) will be the most secure. Xen presents an exception to this: the seclusion is created by software. In theory it is the same thing as physical seclusion, until the software fails or is compromised. Another thing is human error: you WILL make mistakes. One of those mistakes may open open the wrong port, erase the wrong LUN, bridge the wrong NIC. I''ve done quite some security in my time and the biggest problem is always human error. We need to humbly acknowledge this. In short: it''s certainly a bigger risk, but the consequences of compromising your server might lead you to accept this risk. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I think the challenges are bigger than with separate physicals boxes. You have to approach from a theoretical point of view. It''s not that because there are no breaches or exploits today, that there will never be. The theory is this: maximum seclusion is maximum security. Two separate boxes in two separate networks in let''s say two separate buildings (physical security is also part of the game) will be the most secure. Xen presents an exception to this: the seclusion is created by software. In theory it is the same thing as physical seclusion, until the software fails or is compromised. Another thing is human error: you WILL make mistakes. One of those mistakes may open open the wrong port, erase the wrong LUN, bridge the wrong NIC. I''ve done quite some security in my time and the biggest problem is always human error. We need to humbly acknowledge this. In short: it''s certainly a bigger risk, but the consequences of compromising your server might lead you to accept this risk. -------------------------------------------------------------------------------------------------------- I 100% agree with you on this :) By splitting things up, you can limit the "damage zone". And I can see what you mean about the human area - you really need your head screwed on when working with all this stuff! Do people on this list generally trust Xen with their private data, mixed with public VMs? The folks over at Slicehost, Amazon etc.. seem to... _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Friday 16 July 2010 12:27:46 Jonathan Tripathy wrote:> I think the challenges are bigger than with separate physicals boxes. You > have to approach from a theoretical point of view. It''s not that because > there are no breaches or exploits today, that there will never be. The > theory is this: maximum seclusion is maximum security. Two separate boxes > in two separate networks in let''s say two separate buildings (physical > security is also part of the game) will be the most secure. Xen presents > an exception to this: the seclusion is created by software. In theory it > is the same thing as physical seclusion, until the software fails or is > compromised. > Another thing is human error: you WILL make mistakes. One of those mistakes > may open open the wrong port, erase the wrong LUN, bridge the wrong NIC. > I''ve done quite some security in my time and the biggest problem is always > human error. We need to humbly acknowledge this. > In short: it''s certainly a bigger risk, but the consequences of > compromising your server might lead you to accept this risk. > > --------------------------------------------------------------------------- > ----------------------------- > > I 100% agree with you on this :) By splitting things up, you can limit the > "damage zone". And I can see what you mean about the human area - you > really need your head screwed on when working with all this stuff! > > Do people on this list generally trust Xen with their private data, mixed > with public VMs? The folks over at Slicehost, Amazon etc.. seem to... >I would be surprised if Amazon does this. Only their management stuff will be connected to the pulbic infrastructure. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: Bart Coninckx [mailto:bart.coninckx@telenet.be] Sent: Fri 16/07/2010 11:39 To: Jonathan Tripathy Cc: xen-users@lists.xensource.com Subject: Re: [Xen-users] Xen Security On Friday 16 July 2010 12:27:46 Jonathan Tripathy wrote:> I think the challenges are bigger than with separate physicals boxes. You > have to approach from a theoretical point of view. It''s not that because > there are no breaches or exploits today, that there will never be. The > theory is this: maximum seclusion is maximum security. Two separate boxes > in two separate networks in let''s say two separate buildings (physical > security is also part of the game) will be the most secure. Xen presents > an exception to this: the seclusion is created by software. In theory it > is the same thing as physical seclusion, until the software fails or is > compromised. > Another thing is human error: you WILL make mistakes. One of those mistakes > may open open the wrong port, erase the wrong LUN, bridge the wrong NIC. > I''ve done quite some security in my time and the biggest problem is always > human error. We need to humbly acknowledge this. > In short: it''s certainly a bigger risk, but the consequences of > compromising your server might lead you to accept this risk. > > --------------------------------------------------------------------------- > ----------------------------- > > I 100% agree with you on this :) By splitting things up, you can limit the > "damage zone". And I can see what you mean about the human area - you > really need your head screwed on when working with all this stuff! > > Do people on this list generally trust Xen with their private data, mixed > with public VMs? The folks over at Slicehost, Amazon etc.. seem to... >I would be surprised if Amazon does this. Only their management stuff will be connected to the pulbic infrastructure. ----------------------------------------------------------------------------------------------------------------------------- Ah, sorry I wasn''t suggesting that Amazon''s web shop runs on their EC2 cloud. I was just simply stating that Amazon seem to trust Xen with a mixture of customer VMs, that''s all _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Friday 16 July 2010 12:41:23 Jonathan Tripathy wrote:> ________________________________ > > From: Bart Coninckx [mailto:bart.coninckx@telenet.be] > Sent: Fri 16/07/2010 11:39 > To: Jonathan Tripathy > Cc: xen-users@lists.xensource.com > Subject: Re: [Xen-users] Xen Security > > On Friday 16 July 2010 12:27:46 Jonathan Tripathy wrote: > > I think the challenges are bigger than with separate physicals boxes. You > > have to approach from a theoretical point of view. It''s not that because > > there are no breaches or exploits today, that there will never be. The > > theory is this: maximum seclusion is maximum security. Two separate > > boxes in two separate networks in let''s say two separate buildings > > (physical security is also part of the game) will be the most secure. > > Xen presents an exception to this: the seclusion is created by software. > > In theory it is the same thing as physical seclusion, until the software > > fails or is compromised. > > Another thing is human error: you WILL make mistakes. One of those > > mistakes may open open the wrong port, erase the wrong LUN, bridge the > > wrong NIC. I''ve done quite some security in my time and the biggest > > problem is always human error. We need to humbly acknowledge this. > > In short: it''s certainly a bigger risk, but the consequences of > > compromising your server might lead you to accept this risk. > > > > ------------------------------------------------------------------------- > >-- ----------------------------- > > > > I 100% agree with you on this :) By splitting things up, you can limit > > the "damage zone". And I can see what you mean about the human area - > > you really need your head screwed on when working with all this stuff! > > > > Do people on this list generally trust Xen with their private data, mixed > > with public VMs? The folks over at Slicehost, Amazon etc.. seem to... > > I would be surprised if Amazon does this. Only their management stuff will > be connected to the pulbic infrastructure. > > > --------------------------------------------------------------------------- > -------------------------------------------------- > > Ah, sorry I wasn''t suggesting that Amazon''s web shop runs on their EC2 > cloud. I was just simply stating that Amazon seem to trust Xen with a > mixture of customer VMs, that''s all >Well, I suppose it''s somewhere in their general conditions that their liability will be limited. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, Jul 16, 2010 at 5:27 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> Do people on this list generally trust Xen with their private data, mixed > with public VMs? The folks over at Slicehost, Amazon etc.. seem to..."mixed" as in having an "intranet only" VM and a "public facing" VM in the same dom0 box? Yes. Anyway, like Bart mentioned, "seclusion is created by software. In theory it is the same thing as physical seclusion, until the software fails or is compromised." IMHO the risk is no bigger than (say) having a L2 switch separate public and private network with vlans. There are some risk involved, and you have to decide whether you can accept it or not. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, Jul 16, 2010 at 5:27 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> Do people on this list generally trust Xen with their private data, mixed > with public VMs? The folks over at Slicehost, Amazon etc.. seem to..."mixed" as in having an "intranet only" VM and a "public facing" VM in the same dom0 box? Yes. Anyway, like Bart mentioned, "seclusion is created by software. In theory it is the same thing as physical seclusion, until the software fails or is compromised." IMHO the risk is no bigger than (say) having a L2 switch separate public and private network with vlans. There are some risk involved, and you have to decide whether you can accept it or not. -- Fajar -------------------------------------------------------------------------------------------------------------- I think this sums it up pretty well! We could even go as far as saying that the firewall which seperates our DMZ/LAN could have unknown flaws. Anyway, I''m sure if something show-stopping comes up, I''m guessing this list will be the first to hear about it! Bart, good point on the liability issue. Does Xen 4.0 have any security fixes compared to 3.4.2? Or is 4.0 more about features (which could potentially create more holes)? Cheers _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I did NOT say that. Like much of the current discussion about cloud security, it comes down to degree of likely. You are FAR more likely to have a VM hacked directly as the result of lousy system admin practices than you are some remote theoretical possibility of someone breaching the hypervisor. In my opinion, unless you're storing nuclear launch codes, keep the cloud/hypervisor up to date, keep the guest OS up to date, and follow system admin best practices and the chances of being hacked are vanishingly small. Vern Vern Burke, SwiftWater Telecom, http://www.swiftwatertel.com -----Original Message----- From: Jonathan Tripathy <jonnyt@abpni.co.uk> Sender: xen-users-bounces@lists.xensource.com Date: Fri, 16 Jul 2010 08:05:43 To: Vern Burke<vburke@skow.net>; <Xen-users@lists.xensource.com> Subject: Re: [Xen-users] Xen Security Hi Vern, So you think I should just set up my networking properly and forget about the rest? Do you feel it ok to share the same Xen host with internal VMs with public VMs? Thanks On 16/07/10 02:10, Vern Burke wrote:> I have no idea how you could actually PROVE that there's no possible > way someone could break out of a dom U into the dom 0. As I've written > before, since Xen is out and about in such a large way (being the > underpinning of Amazon EC2) that if there was a major risk of this, > we'd have seen it happen already. > > Vern Burke > > SwiftWater Telecom > http://www.swiftwatertel.com > ISP/CLEC Engineering Services > Data Center Services > Remote Backup Services > > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote: >> >> On 15/07/10 23:49, Jonathan Tripathy wrote: >>> Hi Everyone, >>> >>> My Xen host currently run DomUs which contain some very sensitive >>> information, used by our company. I wish to use the same server to >>> host some VMs for some customers. If we assume that networking is set >>> up securely, are there any other risks that I should worry about? >>> >>> Is Xen secure regarding "breaking out" of the VM? >>> >>> Thanks >>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@lists.xensource.com >>> http://lists.xensource.com/xen-users >> >> I'm running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >>_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thanks Vern, I can indeed keep my VMs up to date, however the customers will be in charge of their VMs so I can''t upgrade theirs, however I think this is a moot point as they will have root access anyway. I should probably upgrade my Xen 3.4.2 to 3.4.3 then? Thanks ________________________________ From: Vern Burke [mailto:vburke@skow.net] Sent: Fri 16/07/2010 12:25 To: Jonathan Tripathy; xen-users-bounces@lists.xensource.com; Xen-users@lists.xensource.com Subject: Re: [Xen-users] Xen Security I did NOT say that. Like much of the current discussion about cloud security, it comes down to degree of likely. You are FAR more likely to have a VM hacked directly as the result of lousy system admin practices than you are some remote theoretical possibility of someone breaching the hypervisor. In my opinion, unless you''re storing nuclear launch codes, keep the cloud/hypervisor up to date, keep the guest OS up to date, and follow system admin best practices and the chances of being hacked are vanishingly small. Vern Vern Burke, SwiftWater Telecom, http://www.swiftwatertel.com -----Original Message----- From: Jonathan Tripathy <jonnyt@abpni.co.uk> Sender: xen-users-bounces@lists.xensource.com Date: Fri, 16 Jul 2010 08:05:43 To: Vern Burke<vburke@skow.net>; <Xen-users@lists.xensource.com> Subject: Re: [Xen-users] Xen Security Hi Vern, So you think I should just set up my networking properly and forget about the rest? Do you feel it ok to share the same Xen host with internal VMs with public VMs? Thanks On 16/07/10 02:10, Vern Burke wrote:> I have no idea how you could actually PROVE that there''s no possible > way someone could break out of a dom U into the dom 0. As I''ve written > before, since Xen is out and about in such a large way (being the > underpinning of Amazon EC2) that if there was a major risk of this, > we''d have seen it happen already. > > Vern Burke > > SwiftWater Telecom > http://www.swiftwatertel.com > ISP/CLEC Engineering Services > Data Center Services > Remote Backup Services > > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote: >> >> On 15/07/10 23:49, Jonathan Tripathy wrote: >>> Hi Everyone, >>> >>> My Xen host currently run DomUs which contain some very sensitive >>> information, used by our company. I wish to use the same server to >>> host some VMs for some customers. If we assume that networking is set >>> up securely, are there any other risks that I should worry about? >>> >>> Is Xen secure regarding "breaking out" of the VM? >>> >>> Thanks >>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@lists.xensource.com >>> http://lists.xensource.com/xen-users >> >> I''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >>_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I like all post is very good, I know use jail for virtual machine is solution for some problem security, like virtual machine with service less security as DNS server. I have read about XEN 4.0 but the installation need re-build kernel , sound re-build kernel is very danger for security of kernel, how install new version xen 4.0 without re-build kernel ? On Fri, Jul 16, 2010 at 8:59 AM, Jonathan Tripathy <jonnyt@abpni.co.uk>wrote:> Thanks Vern, > > I can indeed keep my VMs up to date, however the customers will be in > charge of their VMs so I can''t upgrade theirs, however I think this is a > moot point as they will have root access anyway. > > I should probably upgrade my Xen 3.4.2 to 3.4.3 then? > > Thanks > > ------------------------------ > *From:* Vern Burke [mailto:vburke@skow.net] > *Sent:* Fri 16/07/2010 12:25 > *To:* Jonathan Tripathy; xen-users-bounces@lists.xensource.com; > Xen-users@lists.xensource.com > > *Subject:* Re: [Xen-users] Xen Security > > I did NOT say that. Like much of the current discussion about cloud > security, it comes down to degree of likely. You are FAR more likely to have > a VM hacked directly as the result of lousy system admin practices than you > are some remote theoretical possibility of someone breaching the hypervisor. > > In my opinion, unless you''re storing nuclear launch codes, keep the > cloud/hypervisor up to date, keep the guest OS up to date, and follow system > admin best practices and the chances of being hacked are vanishingly small. > > Vern > > Vern Burke, SwiftWater Telecom, http://www.swiftwatertel.com > > -----Original Message----- > From: Jonathan Tripathy <jonnyt@abpni.co.uk> > Sender: xen-users-bounces@lists.xensource.com > Date: Fri, 16 Jul 2010 08:05:43 > To: Vern Burke<vburke@skow.net>; <Xen-users@lists.xensource.com> > Subject: Re: [Xen-users] Xen Security > > Hi Vern, > > So you think I should just set up my networking properly and forget > about the rest? Do you feel it ok to share the same Xen host with > internal VMs with public VMs? > > Thanks > > > On 16/07/10 02:10, Vern Burke wrote: > > I have no idea how you could actually PROVE that there''s no possible > > way someone could break out of a dom U into the dom 0. As I''ve written > > before, since Xen is out and about in such a large way (being the > > underpinning of Amazon EC2) that if there was a major risk of this, > > we''d have seen it happen already. > > > > Vern Burke > > > > SwiftWater Telecom > > http://www.swiftwatertel.com > > ISP/CLEC Engineering Services > > Data Center Services > > Remote Backup Services > > > > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote: > >> > >> On 15/07/10 23:49, Jonathan Tripathy wrote: > >>> Hi Everyone, > >>> > >>> My Xen host currently run DomUs which contain some very sensitive > >>> information, used by our company. I wish to use the same server to > >>> host some VMs for some customers. If we assume that networking is set > >>> up securely, are there any other risks that I should worry about? > >>> > >>> Is Xen secure regarding "breaking out" of the VM? > >>> > >>> Thanks > >>> > >>> _______________________________________________ > >>> Xen-users mailing list > >>> Xen-users@lists.xensource.com > >>> http://lists.xensource.com/xen-users > >> > >> I''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. > >> > >> _______________________________________________ > >> Xen-users mailing list > >> Xen-users@lists.xensource.com > >> http://lists.xensource.com/xen-users > >> > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx P Antes de imprimir pense em sua responsabilidade e comprometimento com o Meio Ambiente. Before printing this message, think about your ecologic responsability and environment commitment. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I''d keep it up to snuff, yes. I myself test ran each XCP release candidate and the upgraded to the final 0.5.0 release within 24 hours of each becoming available. I really shudder to see people recommending running old 3.0.3 and 3.2.x releases because that''s what happens to get thrown in with the particular Linux distribution. I think it''s bad news. Vern Burke SwiftWater Telecom http://www.swiftwatertel.com Xen Cloud Control System http://www.xencloudcontrol.com On 7/16/2010 7:59 AM, Jonathan Tripathy wrote:> Thanks Vern, > I can indeed keep my VMs up to date, however the customers will be in > charge of their VMs so I can''t upgrade theirs, however I think this is a > moot point as they will have root access anyway. > I should probably upgrade my Xen 3.4.2 to 3.4.3 then? > Thanks > > ------------------------------------------------------------------------ > *From:* Vern Burke [mailto:vburke@skow.net] > *Sent:* Fri 16/07/2010 12:25 > *To:* Jonathan Tripathy; xen-users-bounces@lists.xensource.com; > Xen-users@lists.xensource.com > *Subject:* Re: [Xen-users] Xen Security > > I did NOT say that. Like much of the current discussion about cloud > security, it comes down to degree of likely. You are FAR more likely to > have a VM hacked directly as the result of lousy system admin practices > than you are some remote theoretical possibility of someone breaching > the hypervisor. > > In my opinion, unless you''re storing nuclear launch codes, keep the > cloud/hypervisor up to date, keep the guest OS up to date, and follow > system admin best practices and the chances of being hacked are > vanishingly small. > > Vern > > Vern Burke, SwiftWater Telecom, http://www.swiftwatertel.com > > -----Original Message----- > From: Jonathan Tripathy <jonnyt@abpni.co.uk> > Sender: xen-users-bounces@lists.xensource.com > Date: Fri, 16 Jul 2010 08:05:43 > To: Vern Burke<vburke@skow.net>; <Xen-users@lists.xensource.com> > Subject: Re: [Xen-users] Xen Security > > Hi Vern, > > So you think I should just set up my networking properly and forget > about the rest? Do you feel it ok to share the same Xen host with > internal VMs with public VMs? > > Thanks > > > On 16/07/10 02:10, Vern Burke wrote: > > I have no idea how you could actually PROVE that there''s no possible > > way someone could break out of a dom U into the dom 0. As I''ve written > > before, since Xen is out and about in such a large way (being the > > underpinning of Amazon EC2) that if there was a major risk of this, > > we''d have seen it happen already. > > > > Vern Burke > > > > SwiftWater Telecom > > http://www.swiftwatertel.com > > ISP/CLEC Engineering Services > > Data Center Services > > Remote Backup Services > > > > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote: > >> > >> On 15/07/10 23:49, Jonathan Tripathy wrote: > >>> Hi Everyone, > >>> > >>> My Xen host currently run DomUs which contain some very sensitive > >>> information, used by our company. I wish to use the same server to > >>> host some VMs for some customers. If we assume that networking is set > >>> up securely, are there any other risks that I should worry about? > >>> > >>> Is Xen secure regarding "breaking out" of the VM? > >>> > >>> Thanks > >>> > >>> _______________________________________________ > >>> Xen-users mailing list > >>> Xen-users@lists.xensource.com > >>> http://lists.xensource.com/xen-users > >> > >> I''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. > >> > >> _______________________________________________ > >> Xen-users mailing list > >> Xen-users@lists.xensource.com > >> http://lists.xensource.com/xen-users > >> > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
As of now, is 3.4.3 free of known exploits? I understand what you are saying about 3.0.3 and 3.2.x as they have a couple of bad exploits... Cheers ________________________________ From: Vern Burke [mailto:vburke@skow.net] Sent: Fri 16/07/2010 14:15 To: Jonathan Tripathy Cc: Xen-users@lists.xensource.com Subject: Re: [Xen-users] Xen Security I''d keep it up to snuff, yes. I myself test ran each XCP release candidate and the upgraded to the final 0.5.0 release within 24 hours of each becoming available. I really shudder to see people recommending running old 3.0.3 and 3.2.x releases because that''s what happens to get thrown in with the particular Linux distribution. I think it''s bad news. Vern Burke SwiftWater Telecom http://www.swiftwatertel.com Xen Cloud Control System http://www.xencloudcontrol.com On 7/16/2010 7:59 AM, Jonathan Tripathy wrote:> Thanks Vern, > I can indeed keep my VMs up to date, however the customers will be in > charge of their VMs so I can''t upgrade theirs, however I think this is a > moot point as they will have root access anyway. > I should probably upgrade my Xen 3.4.2 to 3.4.3 then? > Thanks > > ------------------------------------------------------------------------ > *From:* Vern Burke [mailto:vburke@skow.net] > *Sent:* Fri 16/07/2010 12:25 > *To:* Jonathan Tripathy; xen-users-bounces@lists.xensource.com; > Xen-users@lists.xensource.com > *Subject:* Re: [Xen-users] Xen Security > > I did NOT say that. Like much of the current discussion about cloud > security, it comes down to degree of likely. You are FAR more likely to > have a VM hacked directly as the result of lousy system admin practices > than you are some remote theoretical possibility of someone breaching > the hypervisor. > > In my opinion, unless you''re storing nuclear launch codes, keep the > cloud/hypervisor up to date, keep the guest OS up to date, and follow > system admin best practices and the chances of being hacked are > vanishingly small. > > Vern > > Vern Burke, SwiftWater Telecom, http://www.swiftwatertel.com > > -----Original Message----- > From: Jonathan Tripathy <jonnyt@abpni.co.uk> > Sender: xen-users-bounces@lists.xensource.com > Date: Fri, 16 Jul 2010 08:05:43 > To: Vern Burke<vburke@skow.net>; <Xen-users@lists.xensource.com> > Subject: Re: [Xen-users] Xen Security > > Hi Vern, > > So you think I should just set up my networking properly and forget > about the rest? Do you feel it ok to share the same Xen host with > internal VMs with public VMs? > > Thanks > > > On 16/07/10 02:10, Vern Burke wrote: > > I have no idea how you could actually PROVE that there''s no possible > > way someone could break out of a dom U into the dom 0. As I''ve written > > before, since Xen is out and about in such a large way (being the > > underpinning of Amazon EC2) that if there was a major risk of this, > > we''d have seen it happen already. > > > > Vern Burke > > > > SwiftWater Telecom > > http://www.swiftwatertel.com > > ISP/CLEC Engineering Services > > Data Center Services > > Remote Backup Services > > > > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote: > >> > >> On 15/07/10 23:49, Jonathan Tripathy wrote: > >>> Hi Everyone, > >>> > >>> My Xen host currently run DomUs which contain some very sensitive > >>> information, used by our company. I wish to use the same server to > >>> host some VMs for some customers. If we assume that networking is set > >>> up securely, are there any other risks that I should worry about? > >>> > >>> Is Xen secure regarding "breaking out" of the VM? > >>> > >>> Thanks > >>> > >>> _______________________________________________ > >>> Xen-users mailing list > >>> Xen-users@lists.xensource.com > >>> http://lists.xensource.com/xen-users > >> > >> I''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. > >> > >> _______________________________________________ > >> Xen-users mailing list > >> Xen-users@lists.xensource.com > >> http://lists.xensource.com/xen-users > >> > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
All technical aspects aside, if something is that sensitive, common sense should kick in and tell you its not a good idea. The mere fact that someone is coming to the list shows they already have doubts. I don''t think any answer from the list will give them the warm fuzzy feeling that they are looking for. Also, when it comes to your clients are you really going to be telling your clients that the xen mailing list told you so? :) I think the technical aspects such as vulnerabilities or bugs shouldn''t even be a factor here, those will always be possible. On Fri, Jul 16, 2010 at 9:32 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> As of now, is 3.4.3 free of known exploits? I understand what you are saying > about 3.0.3 and 3.2.x as they have a couple of bad exploits... > > Cheers > ________________________________ > From: Vern Burke [mailto:vburke@skow.net] > Sent: Fri 16/07/2010 14:15 > To: Jonathan Tripathy > Cc: Xen-users@lists.xensource.com > Subject: Re: [Xen-users] Xen Security > > I''d keep it up to snuff, yes. I myself test ran each XCP release > candidate and the upgraded to the final 0.5.0 release within 24 hours of > each becoming available. > > I really shudder to see people recommending running old 3.0.3 and 3.2.x > releases because that''s what happens to get thrown in with the > particular Linux distribution. I think it''s bad news. > > Vern Burke > > SwiftWater Telecom > http://www.swiftwatertel.com > Xen Cloud Control System > http://www.xencloudcontrol.com > > On 7/16/2010 7:59 AM, Jonathan Tripathy wrote: >> Thanks Vern, >> I can indeed keep my VMs up to date, however the customers will be in >> charge of their VMs so I can''t upgrade theirs, however I think this is a >> moot point as they will have root access anyway. >> I should probably upgrade my Xen 3.4.2 to 3.4.3 then? >> Thanks >> >> ------------------------------------------------------------------------ >> *From:* Vern Burke [mailto:vburke@skow.net] >> *Sent:* Fri 16/07/2010 12:25 >> *To:* Jonathan Tripathy; xen-users-bounces@lists.xensource.com; >> Xen-users@lists.xensource.com >> *Subject:* Re: [Xen-users] Xen Security >> >> I did NOT say that. Like much of the current discussion about cloud >> security, it comes down to degree of likely. You are FAR more likely to >> have a VM hacked directly as the result of lousy system admin practices >> than you are some remote theoretical possibility of someone breaching >> the hypervisor. >> >> In my opinion, unless you''re storing nuclear launch codes, keep the >> cloud/hypervisor up to date, keep the guest OS up to date, and follow >> system admin best practices and the chances of being hacked are >> vanishingly small. >> >> Vern >> >> Vern Burke, SwiftWater Telecom, http://www.swiftwatertel.com >> >> -----Original Message----- >> From: Jonathan Tripathy <jonnyt@abpni.co.uk> >> Sender: xen-users-bounces@lists.xensource.com >> Date: Fri, 16 Jul 2010 08:05:43 >> To: Vern Burke<vburke@skow.net>; <Xen-users@lists.xensource.com> >> Subject: Re: [Xen-users] Xen Security >> >> Hi Vern, >> >> So you think I should just set up my networking properly and forget >> about the rest? Do you feel it ok to share the same Xen host with >> internal VMs with public VMs? >> >> Thanks >> >> >> On 16/07/10 02:10, Vern Burke wrote: >> > I have no idea how you could actually PROVE that there''s no possible >> > way someone could break out of a dom U into the dom 0. As I''ve written >> > before, since Xen is out and about in such a large way (being the >> > underpinning of Amazon EC2) that if there was a major risk of this, >> > we''d have seen it happen already. >> > >> > Vern Burke >> > >> > SwiftWater Telecom >> > http://www.swiftwatertel.com >> > ISP/CLEC Engineering Services >> > Data Center Services >> > Remote Backup Services >> > >> > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote: >> >> >> >> On 15/07/10 23:49, Jonathan Tripathy wrote: >> >>> Hi Everyone, >> >>> >> >>> My Xen host currently run DomUs which contain some very sensitive >> >>> information, used by our company. I wish to use the same server to >> >>> host some VMs for some customers. If we assume that networking is set >> >>> up securely, are there any other risks that I should worry about? >> >>> >> >>> Is Xen secure regarding "breaking out" of the VM? >> >>> >> >>> Thanks >> >>> >> >>> _______________________________________________ >> >>> Xen-users mailing list >> >>> Xen-users@lists.xensource.com >> >>> http://lists.xensource.com/xen-users >> >> >> >> I''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. >> >> >> >> _______________________________________________ >> >> Xen-users mailing list >> >> Xen-users@lists.xensource.com >> >> http://lists.xensource.com/xen-users >> >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
All I''m doing, is asking on the mailing list about the security aspects of Xen. I am aware that bugs will always exsist, however I need to make sure that Xen isn''t in a "broken" state regarding Domain isolation. Sounds to me as if it''s pretty secure :) ________________________________ From: chris [mailto:tknchris@gmail.com] Sent: Fri 16/07/2010 14:35 To: Jonathan Tripathy Cc: Vern Burke; Xen-users@lists.xensource.com Subject: Re: [Xen-users] Xen Security All technical aspects aside, if something is that sensitive, common sense should kick in and tell you its not a good idea. The mere fact that someone is coming to the list shows they already have doubts. I don''t think any answer from the list will give them the warm fuzzy feeling that they are looking for. Also, when it comes to your clients are you really going to be telling your clients that the xen mailing list told you so? :) I think the technical aspects such as vulnerabilities or bugs shouldn''t even be a factor here, those will always be possible. On Fri, Jul 16, 2010 at 9:32 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> As of now, is 3.4.3 free of known exploits? I understand what you are saying > about 3.0.3 and 3.2.x as they have a couple of bad exploits... > > Cheers > ________________________________ > From: Vern Burke [mailto:vburke@skow.net] > Sent: Fri 16/07/2010 14:15 > To: Jonathan Tripathy > Cc: Xen-users@lists.xensource.com > Subject: Re: [Xen-users] Xen Security > > I''d keep it up to snuff, yes. I myself test ran each XCP release > candidate and the upgraded to the final 0.5.0 release within 24 hours of > each becoming available. > > I really shudder to see people recommending running old 3.0.3 and 3.2.x > releases because that''s what happens to get thrown in with the > particular Linux distribution. I think it''s bad news. > > Vern Burke > > SwiftWater Telecom > http://www.swiftwatertel.com > Xen Cloud Control System > http://www.xencloudcontrol.com > > On 7/16/2010 7:59 AM, Jonathan Tripathy wrote: >> Thanks Vern, >> I can indeed keep my VMs up to date, however the customers will be in >> charge of their VMs so I can''t upgrade theirs, however I think this is a >> moot point as they will have root access anyway. >> I should probably upgrade my Xen 3.4.2 to 3.4.3 then? >> Thanks >> >> ------------------------------------------------------------------------ >> *From:* Vern Burke [mailto:vburke@skow.net] >> *Sent:* Fri 16/07/2010 12:25 >> *To:* Jonathan Tripathy; xen-users-bounces@lists.xensource.com; >> Xen-users@lists.xensource.com >> *Subject:* Re: [Xen-users] Xen Security >> >> I did NOT say that. Like much of the current discussion about cloud >> security, it comes down to degree of likely. You are FAR more likely to >> have a VM hacked directly as the result of lousy system admin practices >> than you are some remote theoretical possibility of someone breaching >> the hypervisor. >> >> In my opinion, unless you''re storing nuclear launch codes, keep the >> cloud/hypervisor up to date, keep the guest OS up to date, and follow >> system admin best practices and the chances of being hacked are >> vanishingly small. >> >> Vern >> >> Vern Burke, SwiftWater Telecom, http://www.swiftwatertel.com >> >> -----Original Message----- >> From: Jonathan Tripathy <jonnyt@abpni.co.uk> >> Sender: xen-users-bounces@lists.xensource.com >> Date: Fri, 16 Jul 2010 08:05:43 >> To: Vern Burke<vburke@skow.net>; <Xen-users@lists.xensource.com> >> Subject: Re: [Xen-users] Xen Security >> >> Hi Vern, >> >> So you think I should just set up my networking properly and forget >> about the rest? Do you feel it ok to share the same Xen host with >> internal VMs with public VMs? >> >> Thanks >> >> >> On 16/07/10 02:10, Vern Burke wrote: >> > I have no idea how you could actually PROVE that there''s no possible >> > way someone could break out of a dom U into the dom 0. As I''ve written >> > before, since Xen is out and about in such a large way (being the >> > underpinning of Amazon EC2) that if there was a major risk of this, >> > we''d have seen it happen already. >> > >> > Vern Burke >> > >> > SwiftWater Telecom >> > http://www.swiftwatertel.com >> > ISP/CLEC Engineering Services >> > Data Center Services >> > Remote Backup Services >> > >> > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote: >> >> >> >> On 15/07/10 23:49, Jonathan Tripathy wrote: >> >>> Hi Everyone, >> >>> >> >>> My Xen host currently run DomUs which contain some very sensitive >> >>> information, used by our company. I wish to use the same server to >> >>> host some VMs for some customers. If we assume that networking is set >> >>> up securely, are there any other risks that I should worry about? >> >>> >> >>> Is Xen secure regarding "breaking out" of the VM? >> >>> >> >>> Thanks >> >>> >> >>> _______________________________________________ >> >>> Xen-users mailing list >> >>> Xen-users@lists.xensource.com >> >>> http://lists.xensource.com/xen-users >> >> >> >> I''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. >> >> >> >> _______________________________________________ >> >> Xen-users mailing list >> >> Xen-users@lists.xensource.com >> >> http://lists.xensource.com/xen-users >> >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Infact, to go into a little detail while I think Xen is very secure: I''ve been reading a lot of papers and slides from InvisibleThings. They present a lot of way you can "own" Xen. All of their exploits require root access to the Dom0. And the couple of exploits that they describe to breaking out of DomU in the Dom0 have been patched, so I''m pretty convinced that as long as you keep the Dom0 safe, you''re good. Honestly though, why bother with exploits when you have access to Dom0?? Cheers ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Jonathan Tripathy Sent: Fri 16/07/2010 14:38 To: chris; Xen-users@lists.xensource.com Subject: RE: [Xen-users] Xen Security All I''m doing, is asking on the mailing list about the security aspects of Xen. I am aware that bugs will always exsist, however I need to make sure that Xen isn''t in a "broken" state regarding Domain isolation. Sounds to me as if it''s pretty secure :) ________________________________ From: chris [mailto:tknchris@gmail.com] Sent: Fri 16/07/2010 14:35 To: Jonathan Tripathy Cc: Vern Burke; Xen-users@lists.xensource.com Subject: Re: [Xen-users] Xen Security All technical aspects aside, if something is that sensitive, common sense should kick in and tell you its not a good idea. The mere fact that someone is coming to the list shows they already have doubts. I don''t think any answer from the list will give them the warm fuzzy feeling that they are looking for. Also, when it comes to your clients are you really going to be telling your clients that the xen mailing list told you so? :) I think the technical aspects such as vulnerabilities or bugs shouldn''t even be a factor here, those will always be possible. On Fri, Jul 16, 2010 at 9:32 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> As of now, is 3.4.3 free of known exploits? I understand what you are saying > about 3.0.3 and 3.2.x as they have a couple of bad exploits... > > Cheers > ________________________________ > From: Vern Burke [mailto:vburke@skow.net] > Sent: Fri 16/07/2010 14:15 > To: Jonathan Tripathy > Cc: Xen-users@lists.xensource.com > Subject: Re: [Xen-users] Xen Security > > I''d keep it up to snuff, yes. I myself test ran each XCP release > candidate and the upgraded to the final 0.5.0 release within 24 hours of > each becoming available. > > I really shudder to see people recommending running old 3.0.3 and 3.2.x > releases because that''s what happens to get thrown in with the > particular Linux distribution. I think it''s bad news. > > Vern Burke > > SwiftWater Telecom > http://www.swiftwatertel.com > Xen Cloud Control System > http://www.xencloudcontrol.com > > On 7/16/2010 7:59 AM, Jonathan Tripathy wrote: >> Thanks Vern, >> I can indeed keep my VMs up to date, however the customers will be in >> charge of their VMs so I can''t upgrade theirs, however I think this is a >> moot point as they will have root access anyway. >> I should probably upgrade my Xen 3.4.2 to 3.4.3 then? >> Thanks >> >> ------------------------------------------------------------------------ >> *From:* Vern Burke [mailto:vburke@skow.net] >> *Sent:* Fri 16/07/2010 12:25 >> *To:* Jonathan Tripathy; xen-users-bounces@lists.xensource.com; >> Xen-users@lists.xensource.com >> *Subject:* Re: [Xen-users] Xen Security >> >> I did NOT say that. Like much of the current discussion about cloud >> security, it comes down to degree of likely. You are FAR more likely to >> have a VM hacked directly as the result of lousy system admin practices >> than you are some remote theoretical possibility of someone breaching >> the hypervisor. >> >> In my opinion, unless you''re storing nuclear launch codes, keep the >> cloud/hypervisor up to date, keep the guest OS up to date, and follow >> system admin best practices and the chances of being hacked are >> vanishingly small. >> >> Vern >> >> Vern Burke, SwiftWater Telecom, http://www.swiftwatertel.com >> >> -----Original Message----- >> From: Jonathan Tripathy <jonnyt@abpni.co.uk> >> Sender: xen-users-bounces@lists.xensource.com >> Date: Fri, 16 Jul 2010 08:05:43 >> To: Vern Burke<vburke@skow.net>; <Xen-users@lists.xensource.com> >> Subject: Re: [Xen-users] Xen Security >> >> Hi Vern, >> >> So you think I should just set up my networking properly and forget >> about the rest? Do you feel it ok to share the same Xen host with >> internal VMs with public VMs? >> >> Thanks >> >> >> On 16/07/10 02:10, Vern Burke wrote: >> > I have no idea how you could actually PROVE that there''s no possible >> > way someone could break out of a dom U into the dom 0. As I''ve written >> > before, since Xen is out and about in such a large way (being the >> > underpinning of Amazon EC2) that if there was a major risk of this, >> > we''d have seen it happen already. >> > >> > Vern Burke >> > >> > SwiftWater Telecom >> > http://www.swiftwatertel.com >> > ISP/CLEC Engineering Services >> > Data Center Services >> > Remote Backup Services >> > >> > On 7/15/2010 7:07 PM, Jonathan Tripathy wrote: >> >> >> >> On 15/07/10 23:49, Jonathan Tripathy wrote: >> >>> Hi Everyone, >> >>> >> >>> My Xen host currently run DomUs which contain some very sensitive >> >>> information, used by our company. I wish to use the same server to >> >>> host some VMs for some customers. If we assume that networking is set >> >>> up securely, are there any other risks that I should worry about? >> >>> >> >>> Is Xen secure regarding "breaking out" of the VM? >> >>> >> >>> Thanks >> >>> >> >>> _______________________________________________ >> >>> Xen-users mailing list >> >>> Xen-users@lists.xensource.com >> >>> http://lists.xensource.com/xen-users >> >> >> >> I''m running Xen 3.4.2 on CentOS 5.5 Dom0 by the way. >> >> >> >> _______________________________________________ >> >> Xen-users mailing list >> >> Xen-users@lists.xensource.com >> >> http://lists.xensource.com/xen-users >> >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > "mixed" as in having an "intranet only" VM and a "public facing" VM in > the same dom0 box? Yes. > >Fajar, I was meaning to ask you: would you trust "internal" VMs and "Customer Controlled" VMs on the same box? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
>One is simply to subvert the communications between the guest and the >host - things like buffer overflows, code injection, etcHi Simon, You say "simply", however isn''t it actually quite difficult to do the things you mentioned? Reading on the CVE lists, there doesn''t seem to be any current known possible exploits? Again, I''m just trying to guage how secure Xen is, and how much the experts (you guys) trust it. Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy wrote:>> One is simply to subvert the communications between the guest and the >> host - things like buffer overflows, code injection, etc > > Hi Simon, > > You say "simply", however isn''t it actually quite difficult to do the things you mentioned? Reading on the CVE lists, there doesn''t seem to be any current known possible exploits? > > Again, I''m just trying to guage how secure Xen is, and how much the experts (you guys) trust it. > > Thanks > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-usersThe "Xen Security" subject always creates a firestorm each time it hits the list; And each time there are a plethora of opinions based on both real and imagined exploits, etc. None of the opinions are necessarily wrong. The bottom line is that you have to judge for yourself how/if you buy each argument. Personally, we use Xen in a strictly paravirtualized environment, Linux only on both Dom0 and DomU''s and each server (Dom0 or DomU) is individually firewalled with iptables based on the service, source and destination IPs. Our machines packages are checked monthly, unless a vulnerability in a service is announced sooner than that. This system has worked well for us for 2.5 plus years. The key to that statement is "worked well for us." Your mileage may vary. Thanks, -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 231 Mobile 308-380-7957 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy wrote:> >One is simply to subvert the communications between the guest and the > >host - things like buffer overflows, code injection, etc>You say "simply", however isn''t it actually quite difficult to do >the things you mentioned? Reading on the CVE lists, there doesn''t >seem to be any current known possible exploits?I''ve no idea how hard or otherwise such things are to do, I didn''t mean to imply it''s simple to do, but I''d imagine it''s a relatively simple attack vector to use. OK, it''s a different scale of things to SQL Injection where you''ve a website passing user-supplied data to a backend database (via the website scripting), but you''ve still got an open communications channel where the guest OS can exchange messages with the host (OS and/or Xen). Find a bug in the handling of those messages and you''ve an open attack vector. Having an open communications channel is half of the battle - without it you need to crack two things, find a flaw in the system AND find a way of getting in to exploit it. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Sat, Jul 17, 2010 at 12:11 AM, ABPNI <jonnyt@abpni.co.uk> wrote:> I was meaning to ask you: would you trust "internal" VMs and "Customer > Controlled" VMs on the same box?Security wise? Yes. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users