Joe Knall wrote:
Hi all,
imagine a ftpserver and a webserver running in two xen virtual machines on one box; now say the ftpserver is hacked, the attacker gains root privileges; How much does xen protect the other vm (webserver) against the attacker? Is it as if the webserver was running on a different physical box? In /usr/share/doc/packages/xen the main focus seems to be flexibility rather than security. Anyone with experience?
Running services in separate virtual machines does provide you with *some* security protection, but with 2 major limits: 1. The security of the containment provided by Xen is questionable. Xen 2.0.6 when attacked by crashme lives for only seconds http://lists.xensource.com/archives/html/xen-devel/2005-08/msg00103.html That means that if you feed "strange" sequences of instructions to a Xen virtual machines, then unpredictable things can happen. Some of those surprising things amount to a way to escape from the virtual machine, which means that it is relatively easy for attackers to find an exploit that would let them hack you. This vulnerability is *conjectured*, but there is no assurance of security either. 2. Virtual machines provide you with *isolation*, which is not very flexible. For instance if you have the FTP server on a separate VM than your web server, then you cannot use the FTP server to update the web pages. In contrast, Novell AppArmor was designed specifically for the purpose of securely confining things like your FTP and web servers. I actually presented a tutorial on exactly this topic at Novell Brainshare last week in Barcelona. Here is the official page https://www28.cplan.com/novell_91_cv/session_details.jsp?isid=274760&ilocation_id=91-1&ilanguage=english and here is a copy of the talk http://crispincowan.com/~crispin/TUT304_final.sxi Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com