Using Xen / Jail to Secure a Webserver/Workstation
I am trying to run a personal web server on a computer that will also be used for normal day-to-day use. I know this is not the best security practice, but I don't have an option to buy another computer. I will be running a 2.6 Hardened Kernel with grsecurity && Pax enabled.
I have a few questions about securing this setup:
1) So far I've been looking into using Xen to run three virtual systems -- one with extremely restricted functionality that will be used for the web server, one for system administration, and one for the regular users that contains only programs like openoffice, irssi, Firefox, and an xterm. Is there any reason that this won't work? Is there a better way to go about separating the system into these three roles.
2) Can I set it up so that each of the virtual machines has it's own firewall with unique settings? i.e. only allowing the web server VM to take INPUT on port 80, while the desktop VM wouldn't be able to listen on port 80, but could send on it, and the sysadmin VM could only talk on localhost and send rsync traffic etc?
3) Within the Xen VM that is set up for the regular users, I was planning on setting up a chroot() environment, using jail, to lock down any network connected applications that they have access to. The only network connected applications that regular users will have access to will be irssi (irc chat), and Mozilla Firefox. Would I benefit from putting these programs inside of a chroot jail? Are there more effective, or additional ways that I could run these applications in a sandboxed environment?
I would also appreciate any other suggestions (even if they aren't related to the questions above) related to running applications in a restricted environment and securing this type of setup. How would you go about it?
Last edited by jrtayloriv; 01-11-2008 at 05:40 PM.