Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-27-2009, 09:36 AM
|
#1
|
Member
Registered: Feb 2009
Location: Mayo, Ireland
Distribution: LFS 6.4; Debian 5.4; Mythbuntu & Kubuntu 10.04
Posts: 49
Rep:
|
Xen - Firewall, DMZ and local server on one box
Hi folks,
just a quick question (hopefully) regarding Xen. Ignoring hardware requirements (NICs, CPU and mem etc.), is it possible/advisable to use Xen (or other virtualisation software) to run a firewall/proxy, DMZ/extranet server and local/intranet server on one box.
e.g. Server with 2+ NICs, 1 used for firewall <-> internet, 1 used for intranet server/asterisk or whatever (and Xen domain-0) <-> local network and a virtual NIC between DMZ/extranet server and firewall.
I'm really just interested in the security implications of such a set-up as opposed to using 3 physical servers, the actual server can be specced to meet the various requirements.
Thanks
Mark
|
|
|
02-27-2009, 10:40 AM
|
#2
|
Member
Registered: Dec 2008
Location: Newark Ohio
Distribution: Fedora Core
Posts: 270
Rep:
|
It may be possible but I would not do it. What do I know I only been doing linux since it was developed.
|
|
|
02-27-2009, 10:44 AM
|
#3
|
Member
Registered: Feb 2009
Location: Mayo, Ireland
Distribution: LFS 6.4; Debian 5.4; Mythbuntu & Kubuntu 10.04
Posts: 49
Original Poster
Rep:
|
wow - that was helpful!!
Can anyone else offer anything a bit more detailed
|
|
|
02-27-2009, 12:04 PM
|
#4
|
LQ Newbie
Registered: Feb 2009
Posts: 7
Rep:
|
This really does not feel like a good idea. There is something unsettling about so many possible [non-network] connections between your intranet and the big scary interwebs. All it would take, at least in theory, is a nice fat buffer overflow vulnerability to allow arbitrary code to be passed from your firewall to your other servers. Not using para-virtualization could potentially limit the possibility of that, but that's a considerable performance hit.
My suggestion in this case would be to stick with two servers of a slightly lower spec than you would use for the original machine.
Server1: Firewall/Extranet server. You may use xen for this machine, but it's not entirely necessary as this device is sitting on the edge of your network anyways.
Server2: Intranet server. You should use xen on this machine. Stick with dom0 for your initial setup, and add virts as necessary.
|
|
|
02-27-2009, 12:21 PM
|
#5
|
Member
Registered: Feb 2009
Location: Mayo, Ireland
Distribution: LFS 6.4; Debian 5.4; Mythbuntu & Kubuntu 10.04
Posts: 49
Original Poster
Rep:
|
Hi triflin,
Thanks for that. Para-virtualisation, that's where Xen shares physical devices rather than mimicing them in s/w - isn't it?? I can see how this might cause a problem as the virtual machines aren't as isolated as they would be with the more traditional virtual infrastructure, and as you mentioned, disabling this feature would mean a pretty substantial performance hit (I think I read somewhere that the overhead will typically increase from 3-4% to about 30% on an entry level server).
That's perfect, thanks again
Mark
|
|
|
All times are GMT -5. The time now is 05:35 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|