Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi folks,
just a quick question (hopefully) regarding Xen. Ignoring hardware requirements (NICs, CPU and mem etc.), is it possible/advisable to use Xen (or other virtualisation software) to run a firewall/proxy, DMZ/extranet server and local/intranet server on one box.
e.g. Server with 2+ NICs, 1 used for firewall <-> internet, 1 used for intranet server/asterisk or whatever (and Xen domain-0) <-> local network and a virtual NIC between DMZ/extranet server and firewall.
I'm really just interested in the security implications of such a set-up as opposed to using 3 physical servers, the actual server can be specced to meet the various requirements.
This really does not feel like a good idea. There is something unsettling about so many possible [non-network] connections between your intranet and the big scary interwebs. All it would take, at least in theory, is a nice fat buffer overflow vulnerability to allow arbitrary code to be passed from your firewall to your other servers. Not using para-virtualization could potentially limit the possibility of that, but that's a considerable performance hit.
My suggestion in this case would be to stick with two servers of a slightly lower spec than you would use for the original machine.
Server1: Firewall/Extranet server. You may use xen for this machine, but it's not entirely necessary as this device is sitting on the edge of your network anyways.
Server2: Intranet server. You should use xen on this machine. Stick with dom0 for your initial setup, and add virts as necessary.
Hi triflin,
Thanks for that. Para-virtualisation, that's where Xen shares physical devices rather than mimicing them in s/w - isn't it?? I can see how this might cause a problem as the virtual machines aren't as isolated as they would be with the more traditional virtual infrastructure, and as you mentioned, disabling this feature would mean a pretty substantial performance hit (I think I read somewhere that the overhead will typically increase from 3-4% to about 30% on an entry level server).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.