Re: [xen-discuss] Solaris 10 consolidation. Thoughts/comments/suggestions?

Wed, 12 Nov 2008 21:01:42 -0800 

> I think that 'C' is the dom0 container - is that
> right? 

Yes.  Here's a better copy I hope...Someone emailed me on how to not get my 
text butchered, let's see if it works...

<pre>
Current:
 Inet -->IPF A -->  IPF B --> internal net
            DNS             SRSS
            SQL             SGD
            WWW         Samba
                              NFS
                             OtherApps

Desired:
          |----------------------|
          |                           |
Inet ---|-->IPF A               |
          |          Ve              | 
          |          |                |
          |          |                |      
          |         IPF(v)          |
          |          (Vi)            |
          |           |              |
          |          |          B   |
          |    C---|          |   |
          |          |          |   |
          |          |------------|----->Internal net         
          |                           |
          |---------------------|
</pre>


> - don't plumb the relevant NIC in C and just let the
> e tools

> The first of these is the simplest, as it requires
> little change to
> your configuration. There's a small overhead from
> using the VNIC code
> when you don't need it (as you're not sharing the
> NIC).
> 
> In this configuration a root user in C can still
> snoop the underlying
> physical NIC, but it won't be plumbed into the IP
> stack.

Thanks...I'll probably go with that method then.  Since it's connected to an 
Internet connection, performance isn't a huge issue.

B won't be in a hostile environment, but performance is important there.

> > Can a virtual interface be created between Virtual
> instance A and
> > the host network C and stick IPFilter into it to
> act as a second
> > layer of defense incase A is breached?
> 
> This should work, but I've not tested it in a long
> time. Getting the
> configuration right will be tricky.

Any pointers to any documentation on where to start?  How to setup virtual 
interfaces, etc?
 
> You should really run no services in C, perhaps not
> even plumb any IP
> interfaces there at all, because anything that runs
> there is a
> potential attack vector for the guest domains. dom0
> has free access to
> the guest domains if the attacker is prepared to
> spend some time.

Agreed.  And that's the way we are doing our LDOMs at work (except we are 
plumbing IPs in the control domains).  But for a SOHO server, I'm not as 
worried about it...And that's why I want the virtual IPF layer between A and C.

> 
> Footnotes: 
> [1]  This will change with the Direct IO project,
> which will allow
>      guest A to directly access a PCI device.

This stuff is just sooo cool.  I wish it were getting here faster!
-- 
This message posted from opensolaris.org
_______________________________________________
xen-discuss mailing list
[email protected]

Reply via email to