LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Xen - Firewall, DMZ and local server on one box (https://www.linuxquestions.org/questions/linux-server-73/xen-firewall-dmz-and-local-server-on-one-box-707990/)

healyma 02-27-2009 08:36 AM
Xen - Firewall, DMZ and local server on one box
 
Hi folks,
just a quick question (hopefully) regarding Xen. Ignoring hardware requirements (NICs, CPU and mem etc.), is it possible/advisable to use Xen (or other virtualisation software) to run a firewall/proxy, DMZ/extranet server and local/intranet server on one box.

e.g. Server with 2+ NICs, 1 used for firewall <-> internet, 1 used for intranet server/asterisk or whatever (and Xen domain-0) <-> local network and a virtual NIC between DMZ/extranet server and firewall.

I'm really just interested in the security implications of such a set-up as opposed to using 3 physical servers, the actual server can be specced to meet the various requirements.

Thanks
Mark

kentyler 02-27-2009 09:40 AM
It may be possible but I would not do it. What do I know I only been doing linux since it was developed.

healyma 02-27-2009 09:44 AM
wow - that was helpful!!

Can anyone else offer anything a bit more detailed

Triflin 02-27-2009 11:04 AM
This really does not feel like a good idea. There is something unsettling about so many possible [non-network] connections between your intranet and the big scary interwebs. All it would take, at least in theory, is a nice fat buffer overflow vulnerability to allow arbitrary code to be passed from your firewall to your other servers. Not using para-virtualization could potentially limit the possibility of that, but that's a considerable performance hit.

My suggestion in this case would be to stick with two servers of a slightly lower spec than you would use for the original machine.

Server1: Firewall/Extranet server. You may use xen for this machine, but it's not entirely necessary as this device is sitting on the edge of your network anyways.
Server2: Intranet server. You should use xen on this machine. Stick with dom0 for your initial setup, and add virts as necessary.

healyma 02-27-2009 11:21 AM
Hi triflin,
Thanks for that. Para-virtualisation, that's where Xen shares physical devices rather than mimicing them in s/w - isn't it?? I can see how this might cause a problem as the virtual machines aren't as isolated as they would be with the more traditional virtual infrastructure, and as you mentioned, disabling this feature would mean a pretty substantial performance hit (I think I read somewhere that the overhead will typically increase from 3-4% to about 30% on an entry level server).

That's perfect, thanks again

Mark


All times are GMT -5. The time now is 12:45 AM.