On Tue, Nov 11, 2008 at 09:16:30PM -0800, Bill Werner wrote:
> Can a hardware NIC act as a dedicated interface to A, and be tied
> directly to the virtual instance of A, so that no IP is plumbed in
> C, so there is no attack vector from outside forces directly able to
> get to C?
I think that 'C' is the dom0 container - is that right? If so, you can
'dedicate' a NIC in C to guest A, though you still have to run the
backend/frontend drivers at the moment[1]. There are two ways to do it:
- don't plumb the relevant NIC in C and just let the tools
create a VNIC over the top for A,
- don't plumb the relevant NIC in C and have the backend
driver open the NIC directly (no VNIC).
The first of these is the simplest, as it requires little change to
your configuration. There's a small overhead from using the VNIC code
when you don't need it (as you're not sharing the NIC).
In this configuration a root user in C can still snoop the underlying
physical NIC, but it won't be plumbed into the IP stack.
> Can a virtual interface be created between Virtual instance A and
> the host network C and stick IPFilter into it to act as a second
> layer of defense incase A is breached?
This should work, but I've not tested it in a long time. Getting the
configuration right will be tricky.
You should really run no services in C, perhaps not even plumb any IP
interfaces there at all, because anything that runs there is a
potential attack vector for the guest domains. dom0 has free access to
the guest domains if the attacker is prepared to spend some time.
Footnotes:
[1] This will change with the Direct IO project, which will allow
guest A to directly access a PCI device.
_______________________________________________
xen-discuss mailing list
[email protected]
