[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Ideal(istic) Xen firewall design



Hi Dirk and Mike,

Dirk H. Schulz wrote:
> Hi Mike,
> 
> Mike Tierney schrieb:
> 
>> But it is still tempting to just do away with the seperate firewall vm
>> and
>> do all the firewalling in Dom0!
>>  
>>

Having got my Firewall domain working reasonably well I'd have to say that
I wouldn't go back! :) Extremely handy being able to create a Firewall,
restart it, swap in another version ... all without having to restart
my other domains!



> There is one more reason to put the firewall into a guest system: The
> guests use the smaller kernels (without hardware support etc.), so there
> is less possibility of kernel bugs that can be used to crack the
> firewall. It is more of a statistic perspective but with firewalling
> everything should be used to avoid leaks, I think.
> 

The firewall domain _does_ have hardware support (ie. network cards),
so I'm not sure if your logic applies.
(ie. Firewall still has DMA)
But, still, everything else is/can be virtualised, so it's still a step
up from a dom0 (IMHO).

Marcus.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.