[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] LXR-type source code browsing
> Like you, we have an internal LXR server. > > I've never been very convinced about the security of LXR. Do you reckon > we'd get away with running one on the public internet? Do you know > whether lxr.linpro.no have had problems? > > We're planning on setting up the wiki and bugzilla each in their own VM > with snort running in domain 0 to scrutinize the traffic. I guess we > could add lxr to the mix and see what happens... > > Ian Your suggestion to use snort in dom0 sounds like a great way to keep track of what is going on in the other domains. It sparks my interest in taking part in the discussion, as I have been thinking through the best ways to use Xen to create a higher level of trust in my systems. Because security of dom0 seems of the upmost importance, I have been inclined to do less in dom0...rather than more. I have been thinking of making only ssh available from the outside, even protecting the ssh port with port knocking. I would use dom0 for compiling new xen/linux kernels, for managing the other domains (as with the xm command), and for running iptables, which would run in dom0 to protect all the other domains. I would also do filesystem integrity checking within dom0 and sending syslog to a remote server. Outside of those duties, I don't think dom0 needs to do much for me. Given that approach to using dom0 in a more tightly controlled way, the only other vectors of attack upon dom0, as I see them, would be these scenarios: 1) network attack via iptables or on the tcp/ip stack itself (unlikely) 2) virtual machine attack on a vulnerability that allows access to dom0 (unlikely) 3) tcp session hijacking of an ssh session So, by using dom0 as a special-purpose domain, risk to compromising the entirely system would be minimized. Would it perhaps be even better to run snort in an unprivileged domain, using iptables to feed traffic to that domain? Incidentally, why isn't iptables support built into the default xen/linux kernels? iptables seems a natural fit with a project that can do so much for system security. Thanks to everyone working on this wonderful project. Shane ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |