LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-27-2009, 08:36 AM   #1
healyma
Member
 
Registered: Feb 2009
Location: Mayo, Ireland
Distribution: LFS 6.4; Debian 5.4; Mythbuntu & Kubuntu 10.04
Posts: 49

Rep: Reputation: 19
Xen - Firewall, DMZ and local server on one box


Hi folks,
just a quick question (hopefully) regarding Xen. Ignoring hardware requirements (NICs, CPU and mem etc.), is it possible/advisable to use Xen (or other virtualisation software) to run a firewall/proxy, DMZ/extranet server and local/intranet server on one box.

e.g. Server with 2+ NICs, 1 used for firewall <-> internet, 1 used for intranet server/asterisk or whatever (and Xen domain-0) <-> local network and a virtual NIC between DMZ/extranet server and firewall.

I'm really just interested in the security implications of such a set-up as opposed to using 3 physical servers, the actual server can be specced to meet the various requirements.

Thanks
Mark
 
Old 02-27-2009, 09:40 AM   #2
kentyler
Member
 
Registered: Dec 2008
Location: Newark Ohio
Distribution: Fedora Core
Posts: 270

Rep: Reputation: 38
It may be possible but I would not do it. What do I know I only been doing linux since it was developed.
 
Old 02-27-2009, 09:44 AM   #3
healyma
Member
 
Registered: Feb 2009
Location: Mayo, Ireland
Distribution: LFS 6.4; Debian 5.4; Mythbuntu & Kubuntu 10.04
Posts: 49

Original Poster
Rep: Reputation: 19
wow - that was helpful!!

Can anyone else offer anything a bit more detailed
 
Old 02-27-2009, 11:04 AM   #4
Triflin
LQ Newbie
 
Registered: Feb 2009
Posts: 7

Rep: Reputation: 1
This really does not feel like a good idea. There is something unsettling about so many possible [non-network] connections between your intranet and the big scary interwebs. All it would take, at least in theory, is a nice fat buffer overflow vulnerability to allow arbitrary code to be passed from your firewall to your other servers. Not using para-virtualization could potentially limit the possibility of that, but that's a considerable performance hit.

My suggestion in this case would be to stick with two servers of a slightly lower spec than you would use for the original machine.

Server1: Firewall/Extranet server. You may use xen for this machine, but it's not entirely necessary as this device is sitting on the edge of your network anyways.
Server2: Intranet server. You should use xen on this machine. Stick with dom0 for your initial setup, and add virts as necessary.
 
Old 02-27-2009, 11:21 AM   #5
healyma
Member
 
Registered: Feb 2009
Location: Mayo, Ireland
Distribution: LFS 6.4; Debian 5.4; Mythbuntu & Kubuntu 10.04
Posts: 49

Original Poster
Rep: Reputation: 19
Hi triflin,
Thanks for that. Para-virtualisation, that's where Xen shares physical devices rather than mimicing them in s/w - isn't it?? I can see how this might cause a problem as the virtual machines aren't as isolated as they would be with the more traditional virtual infrastructure, and as you mentioned, disabling this feature would mean a pretty substantial performance hit (I think I read somewhere that the overhead will typically increase from 3-4% to about 30% on an entry level server).

That's perfect, thanks again

Mark
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Copy files from server 1 to local box? 2639 Linux - Newbie 4 12-16-2008 08:16 PM
LXer: Install OpenSuse 11 PV DomU at Xen 3.2 Ubuntu Hardy Dom0 via local HTTP Server LXer Syndicated Linux News 0 10-22-2008 08:50 AM
LXer: Install OpenSuse 11 DomU at Xen 3.3 CentOS 5.2 Dom0 via local HTTP Server (all LXer Syndicated Linux News 0 10-18-2008 11:20 AM
gateway(NAT),firewall,server,DMZ andjules Linux - Networking 1 11-22-2002 05:55 PM
gateway(NAT),firewall,server,DMZ andjules Linux - Newbie 2 11-22-2002 08:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration