[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Ideal(istic) Xen firewall design
Hi Dirk and Mike, Dirk H. Schulz wrote: > Hi Mike, > > Mike Tierney schrieb: > >> But it is still tempting to just do away with the seperate firewall vm >> and >> do all the firewalling in Dom0! >> >> Having got my Firewall domain working reasonably well I'd have to say that I wouldn't go back! :) Extremely handy being able to create a Firewall, restart it, swap in another version ... all without having to restart my other domains! > There is one more reason to put the firewall into a guest system: The > guests use the smaller kernels (without hardware support etc.), so there > is less possibility of kernel bugs that can be used to crack the > firewall. It is more of a statistic perspective but with firewalling > everything should be used to avoid leaks, I think. > The firewall domain _does_ have hardware support (ie. network cards), so I'm not sure if your logic applies. (ie. Firewall still has DMA) But, still, everything else is/can be virtualised, so it's still a step up from a dom0 (IMHO). Marcus. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |