# Using Xen/Jail to Secure Webserver/Workstation

## jrtayloriv

I am trying to run a personal web server on a computer that will also be used for normal day-to-day use. I know this is not the best security practice, but I don't have an option to buy another computer. I will be running a 2.6 Hardened Kernel with grsecurity && Pax enabled.

 I have a few questions about securing this setup:

1) So far I've been looking into using Xen to run three virtual systems -- one with extremely restricted functionality that will be used for the webserver, one for system administration, and one for the regular users that contains only programs like openoffice, irssi, firefox, and an xterm. Is there any reason that this won't work? Is there a better way to go about seperating the system into these three roles.

2) Can I set it up so that each of the virtual machines has it's own firewall with unique settings? i.e. only allowing the webserver VM to take INPUT on port 80, while the desktop VM wouldn't be able to listen on port 80, but could send on it, and the sysadmin VM could only talk on localhost and send rsync traffic etc?

3) Within the Xen VM that is set up for the regular users, I was planning on setting up a chroot() environment, using jail, to lock down any network connected applications that they have access to.  The only network connected applications that regular users will have access to will be irssi (irc chat), and Mozilla Firefox. Would I benefit from putting these programs inside of a chroot jail? Are there more effective, or additional ways that I could run these applications in a sandboxed environment?

I would also appreciate any other suggestions (even if they aren't related to the questions above) related to running applications in a restricted environment and securing this type of setup. How would you go about it?

Thanks,

jrtayloriv

----------

## jrtayloriv

And I had two more questions concerning the firewall:

4)As far as the virtual machine that is running the firewall -- is this any less secure than running the firewall on a completely separate box? That is, if I were to route all WWW communications to/from the internal network (including the Apache server that is in a VM on the same box) through this VM, would that provide as much security?

5)Does running the firewall in a VM increase security compared to if I just ran the webserver and the firewall on the same VM?

----------

## Karma T. Foxx

Depending on what you mean by firewall, I would recommend using a separate machine or VM as this will give an attacker one more 'machine' he must compromise to get to your 'internal' network.

----------

